Grafana

Overview

This is a flavour containing the grafana visualisation interface used to view prometheus or loki datasources among others.

It also contains node_exporter and a local consul agent instance to be available that it can connect to (see configuration below). You can e.g. use the consul pot flavour on this site to run consul.

Installation

  • Create a ZFS dataset on the parent system beforehand zfs create -o mountpoint=/mnt/grafanadata zroot/grafanadata
  • Create your local jail from the image or the flavour files.
  • Clone the local jail
  • Mount in the ZFS dataset you created pot mount-in -p <jailname> -m /mnt -d /mnt/grafanadata
  • Optionally export the ports after creating the jail:
    pot export-ports -p <jailname> -e 3000:3000
  • Adjust to your environment:
       -E IP=<IP address of this system> -E CONSULSERVERS='<correctly formatted list of quoted IP addresses>' \
       -E VAULTSERVER=<IP address vault server> -E VAULTTOKEN=<token> \
       -E PROMSOURCE="10.0.0.1" -E LOKISOURCE="10.0.0.2" -E INFLUXDBSOURCE="10.0.0.3" -E INFLUXDATABASE=<database name> \
       [-E GRAFANAUSER=<username> -E GRAFANAPASSWORD=<password> \ 
       [-E GOSSIPKEY=<32 byte Base64 key from consul keygen>] [-E REMOTELOG=<remote syslog IP>]```
    
    

The CONSULSERVERS parameter defines the consul server instances, and must be set as CONSULSERVERS='"10.0.0.2"' or CONSULSERVERS='"10.0.0.2", "10.0.0.3", "10.0.0.4"' or CONSULSERVERS='"10.0.0.2", "10.0.0.3", "10.0.0.4", "10.0.0.5", "10.0.0.6"'

The GOSSIPKEY parameter is the gossip encryption key for consul agent. We’re using a default key if you do not set the parameter, do not use the default key for production encryption, instead provide your own.

The VAULTSERVER parameter is the IP address of the vault server to authenticate to, and obtain certificates from.

The VAULTTOKEN parameter is the issued token from the vault server.

The PROMSOURCE parameter is the IP address of the prometheus data source.

The LOKISOURCE parameter is the IP address of the loki data source.

The INFLUXDBSOURCE parameter is the IP address of the influxdb data source. The INFLUXDATABASE parameter must also be set with the name of the database to query.

The default grafana user and password is admin, however you can set your own credentials with the parameters GRAFANAUSER and GRAFANAPASSWORD.

The REMOTELOG parameter is the IP address of a remote syslog server to send logs to, such as for the loki flavour on this site.

Usage

To access grafana open the following in a browser:

  • https://:3000

Persistent Storage

Persistent storage will be in the ZFS dataset zroot/grafanadata, available inside the image at /mnt

If you stop the image, the data will still exist, and a new image can be started up and still use it.

If you need to change the directory parameters for the ZFS dataset, adjust the mount-in command accordingly for the source directory as mounted by the parent OS.

Do not adjust the image destination mount point at /mnt because grafana is configured to use this directory for data.

Problems to pay attention to

The default installation of grafana on freebsd has a known bug where grafana crashes, or crashes on a restart:

grafana[96320]: panic: error getting work directory: stat .: permission denied
grafana[96320]: 
grafana[96320]: goroutine 1 [running]:
grafana[96320]: gopkg.in/macaron%2ev1.init.1()
grafana[96320]:         gopkg.in/macaron.v1/macaron.go:317 +0x110

Workable solutions are presented at https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255676

This image has implemented both options:

  • remove /usr/bin/env ${grafana_env} from command args
  • add chmod 755 /root to pot flavour script

Important: These are non-standard permissions for /root and allow any user on the system to read files in /root.

Getting Started

How To Use The Ready-Made Image

FreeBSD 13.0:
pot import -p grafana-amd64-13_0 -t 0.0.10 -U https://potluck.honeyguide.net/grafana

FreeBSD 12.2:
pot import -p grafana-amd64-12_2 -t 0.0.10 -U https://potluck.honeyguide.net/grafana

If you don’t want to use the default pot bridged network configuration but instead need an individual network setup (e.g. assign a host IP address), after importing it you can simply clone the jail like that (em0 is the host network adapter in this example):
pot clone -P grafana-amd64-13_0 -p my-cloned-jail -N alias -i "em0|10.10.10.10"

Note: Some images might require specific network configuration, double check the Overview-chapter at the top.

Alternatively: Create a Jail With This Flavour Yourself

1. Create Flavour Files

Save all files and directories from https://github.com/hny-gd/potluck/tree/master/grafana to /usr/local/etc/pot/flavours/

2. Create Jail From Flavour

Run
pot create -b <FreeBSD Version> -p <jailname> -t single -N public-bridge -f fbsd-update

with your FreeBSD version (e.g. 12.1) and the name your jail should get.

Note: Some images might require specific network configuration, double check the Overview-chapter at the top.

Version History

0.0.10

  • Turning off flow-control in syslog-ng, setting 120s time_reopen, and reducing log-fifo parameter

0.0.9

  • Fourth attempt at fixing grafana crashing a few minutes after startip. Bug report says to chmod 755 /root.

0.0.8

  • Third attempt at fixing grafana crashing a few minutes after startip. Bug report says to fix the rc file.

0.0.7

  • Second attempt at fixing grafana crashing a few minutes after startip

0.0.6

  • Fixing error with grafana crashing. Standardising cert.pem key.pem ca.pem

0.0.5

  • Implementing syslog-ng with tls for remote logging

0.0.4

  • Adding influxdb data source and parameters

0.0.3

  • Switched to quarterly package sources

0.0.2

  • Updated early Grafana image

0.0.1

  • Grafana image initialised

These images were built on Wed Jul 28 19:22:35 UTC 2021

Manual Image Download Links

grafana-amd64-13_0_0.0.10.xz ( 358.543 MB )
grafana-amd64-13_0_0.0.10.xz.skein ( 0.250977 KB )

grafana-amd64-12_2_0.0.10.xz ( 450.094 MB )
grafana-amd64-12_2_0.0.10.xz.skein ( 0.250977 KB )

Jenkins Pot Creation Logs

grafana-amd64-13_0_0.0.10:


grafana/grafana:
copy-in -s /usr/local/etc/pot/flavours/grafana.d/datasources.yml -d /root
copy-in -s /usr/local/etc/pot/flavours/grafana.d/dashboard.yml -d /root
copy-in -s /usr/local/etc/pot/flavours/grafana.d/grafana.conf -d /root
copy-in -s /usr/local/etc/pot/flavours/grafana.d/grafana.rc -d /root
copy-in -s /usr/local/etc/pot/flavours/grafana.d/home.json -d /root
copy-in -s /usr/local/etc/pot/flavours/grafana.d/homelogs.json -d /root
copy-in -s /usr/local/etc/pot/flavours/grafana.d/syslog-ng.conf -d /root
set-attribute -A start-at-boot -V YES
grafana/grafana.sh:
#!/bin/sh

# Based on POTLUCK TEMPLATE v3.0
# Altered by Michael Gmelin
#
# EDIT THE FOLLOWING FOR NEW FLAVOUR:
# 1. RUNS_IN_NOMAD - true or false
# 2. If RUNS_IN_NOMAD is false, can delete the <flavour>+4 file, else
#    make sure pot create command doesn't include it
# 3. Create a matching <flavour> file with this <flavour>.sh file that
#    contains the copy-in commands for the config files from <flavour>.d/
#    Remember that the package directories don't exist yet, so likely copy
#    to /root
# 4. Adjust package installation between BEGIN & END PACKAGE SETUP
# 5. Adjust jail configuration script generation between BEGIN & END COOK
#    Configure the config files that have been copied in where necessary

# Set this to true if this jail flavour is to be created as a nomad (i.e. blocking) jail.
# You can then query it in the cook script generation below and the script is installed
# appropriately at the end of this script
RUNS_IN_NOMAD=false

# set the cook log path/filename
COOKLOG=/var/log/cook.log

# check if cooklog exists, create it if not
if [ ! -e $COOKLOG ]
then
    echo "Creating $COOKLOG" | tee -a $COOKLOG
else
    echo "WARNING $COOKLOG already exists"  | tee -a $COOKLOG
fi
date >> $COOKLOG

# -------------------- COMMON ---------------

STEPCOUNT=0
step() {
  STEPCOUNT=$(expr "$STEPCOUNT" + 1)
  STEP="$@"
  echo "Step $STEPCOUNT: $STEP" | tee -a $COOKLOG
}

exit_ok() {
  trap - EXIT
  exit 0
}

FAILED=" failed"
exit_error() {
  STEP="$@"
  FAILED=""
  exit 1
}

set -e
trap 'echo ERROR: $STEP$FAILED | (>&2 tee -a $COOKLOG)' EXIT

# -------------- BEGIN PACKAGE SETUP -------------

step "Bootstrap package repo"
mkdir -p /usr/local/etc/pkg/repos
#echo 'FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest" }' \
echo 'FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/quarterly" }' \
  >/usr/local/etc/pkg/repos/FreeBSD.conf
ASSUME_ALWAYS_YES=yes pkg bootstrap

step "Touch /etc/rc.conf"
touch /etc/rc.conf

# this is important, otherwise running /etc/rc from cook will
# overwrite the IP address set in tinirc
step "Remove ifconfig_epair0b from config"
sysrc -cq ifconfig_epair0b && sysrc -x ifconfig_epair0b || true

step "Disable sendmail"
service sendmail onedisable

step "Create /usr/local/etc/rc.d"
mkdir -p /usr/local/etc/rc.d

# we need consul for consul agent
step "Install package consul"
pkg install -y consul

step "Install package node_exporter"
pkg install -y node_exporter

step "Install package grafana7"
pkg install -y grafana7

step "Install package sudo"
pkg install -y sudo

step "Install package curl"
pkg install -y curl

step "Install package jq"
pkg install -y jq

step "Install package syslog-ng"
pkg install -y syslog-ng

step "Install package vault"
pkg install -y vault

step "Clean package installation"
pkg clean -y

# -------------- END PACKAGE SETUP -------------

#
# Create configurations
#

#
# Now generate the run command script "cook"
# It configures the system on the first run by creating the config file(s)
# On subsequent runs, it only starts sleeps (if nomad-jail) or simply exits
#

# clear any old cook runtime file
step "Remove pre-existing cook script (if any)"
rm -f /usr/local/bin/cook

# this runs when image boots
# ----------------- BEGIN COOK ------------------

step "Create cook script"
echo "#!/bin/sh
RUNS_IN_NOMAD=$RUNS_IN_NOMAD
# declare this again for the pot image, might work carrying variable through like
# with above
COOKLOG=/var/log/cook.log
# No need to change this, just ensures configuration is done only once
if [ -e /usr/local/etc/pot-is-seasoned ]
then
    # If this pot flavour is blocking (i.e. it should not return),
    # we block indefinitely
    if [ \"\$RUNS_IN_NOMAD\" = \"true\" ]
    then
        /bin/sh /etc/rc
        tail -f /dev/null
    fi
    exit 0
fi

# ADJUST THIS: STOP SERVICES AS NEEDED BEFORE CONFIGURATION
# not needed, not started automatically, needs configuring

# No need to adjust this:
# If this pot flavour is not blocking, we need to read the environment first from /tmp/environment.sh
# where pot is storing it in this case
if [ -e /tmp/environment.sh ]
then
    . /tmp/environment.sh
fi

#
# ADJUST THIS BY CHECKING FOR ALL VARIABLES YOUR FLAVOUR NEEDS:
#

# Check config variables are set
#
if [ -z \${DATACENTER+x} ]; then
    echo 'DATACENTER is unset - see documentation how to configure this flavour'
    exit 1
fi
if [ -z \${NODENAME+x} ];
then
    echo 'NODENAME is unset - see documentation how to configure this flavour'
    exit 1
fi
if [ -z \${CONSULSERVERS+x} ]; then
    echo 'CONSULSERVERS is unset - see documentation how to configure this flavour'
    exit 1
fi
if [ -z \${IP+x} ]; then
    echo 'IP is unset - see documentation how to configure this flavour'
    exit 1
fi
if [ -z \${VAULTSERVER+x} ];
then
    echo 'VAULTSERVER is unset - you must include the master vault server IP'
    exit 1
fi
# we need a token from the vault server
if [ -z \${VAULTTOKEN+x} ];
then
    echo 'VAULTTOKEN is unset - see documentation how to configure this flavour. You must pass in a valid token'
    exit 1
fi
# GOSSIPKEY is a 32 byte, Base64 encoded key generated with consul keygen for the consul flavour.
# Re-used for nomad, which is usually 16 byte key but supports 32 byte, Base64 encoded keys
# We'll re-use the one from the consul flavour
if [ -z \${GOSSIPKEY+x} ];
then
    echo 'GOSSIPKEY is unset - see documentation how to configure this flavour, defaulting to preset encrypt key. Do not use this in production!'
    GOSSIPKEY='\"BY+vavBUSEmNzmxxS3k3bmVFn1giS4uEudc774nBhIw=\"'
fi
# required prometheus server
if [ -z \${PROMSOURCE+x} ];
then
    echo 'PROMSOURCE is unset - see documentation how to configure this flavour with IP address of Prometheus host. Exiting.'
    exit 1
fi
# required loki server
if [ -z \${LOKISOURCE+x} ];
then
    echo 'LOKISOURCE is unset - see documentation how to configure this flavour with IP address of Loki host. Exiting.'
    exit 1
fi
# required influxdb server
if [ -z \${INFLUXDBSOURCE+x} ];
then
    echo 'INFLUXDBSOURCE is unset - see documentation how to configure this flavour with IP address of InfluxDB host. Exiting.'
    exit 1
fi
# required influxdb server
if [ -z \${INFLUXDATABASE+x} ];
then
    echo 'INFLUXDATABASE is unset - see documentation how to configure this flavour with InfluxDB datanase name. Defaulting to default'
    INFLUXDATABASE="default"
fi
# grafana credentials
if [ -z \${GRAFANAUSER+x} ];
then
    echo 'GRAFANAUSER is unset - see documentation how to configure this flavour with credentials. Defaulting to admin'
    GRAFANAUSER=admin
fi
if [ -z \${GRAFANAPASSWORD+x} ];
then
    echo 'GRAFANAPASSWORD is unset - see documentation how to configure this flavour with credentials. Defaulting to admin'
    GRAFANAPASSWORD=admin
fi
# optional logging to remote syslog server
if [ -z \${REMOTELOG+x} ];
then
    echo 'REMOTELOG is unset - see documentation how to configure this flavour with IP address of remote syslog server. Defaulting to null'
    REMOTELOG=\"null\"
fi

# ADJUST THIS BELOW: NOW ALL THE CONFIGURATION FILES NEED TO BE CREATED:
# Don't forget to double(!)-escape quotes and dollar signs in the config files

# setup directories for vault usage
mkdir -p /mnt/templates
mkdir -p /mnt/certs/localca

## start consul

# make consul configuration directory and set permissions
mkdir -p /usr/local/etc/consul.d
chmod 750 /usr/local/etc/consul.d

# Create the consul agent config file with imported variables
echo \"{
 \\\"advertise_addr\\\": \\\"\$IP\\\",
 \\\"datacenter\\\": \\\"\$DATACENTER\\\",
 \\\"node_name\\\": \\\"\$NODENAME\\\",
 \\\"data_dir\\\":  \\\"/var/db/consul\\\",
 \\\"dns_config\\\": {
  \\\"a_record_limit\\\": 3,
  \\\"enable_truncate\\\": true
 },
 \\\"verify_incoming\\\": false,
 \\\"verify_outgoing\\\": true,
 \\\"verify_server_hostname\\\":false,
 \\\"verify_incoming_rpc\\\": true,
 \\\"ca_file\\\": \\\"/mnt/certs/ca.pem\\\",
 \\\"cert_file\\\": \\\"/mnt/certs/cert.pem\\\",
 \\\"key_file\\\": \\\"/mnt/certs/key.pem\\\",
 \\\"log_file\\\": \\\"/var/log/consul/\\\",
 \\\"log_level\\\": \\\"WARN\\\",
 \\\"encrypt\\\": \$GOSSIPKEY,
 \\\"start_join\\\": [ \$CONSULSERVERS ],
 \\\"telemetry\\\": {
  \\\"prometheus_retention_time\\\": \\\"24h\\\",
  \\\"disable_hostname\\\": true
 },
 \\\"service\\\": {
  \\\"address\\\": \\\"\$IP\\\",
  \\\"name\\\": \\\"node-exporter\\\",
  \\\"tags\\\": [\\\"_app=prometheus\\\", \\\"_service=node-exporter\\\", \\\"_hostname=\$NODENAME\\\", \\\"_datacenter=\$DATACENTER\\\"],
  \\\"port\\\": 9100
 }
}\" > /usr/local/etc/consul.d/agent.json

# set owner and perms on agent.json
chown consul:wheel /usr/local/etc/consul.d/agent.json
chmod 640 /usr/local/etc/consul.d/agent.json

# enable consul
sysrc consul_enable=\"YES\"

# set load parameter for consul config
sysrc consul_args=\"-config-file=/usr/local/etc/consul.d/agent.json\"
#sysrc consul_datadir=\"/var/db/consul\"

# Workaround for bug in rc.d/consul script:
sysrc consul_group=\"wheel\"

# setup consul logs, might be redundant if not specified in agent.json above
mkdir -p /var/log/consul
touch /var/log/consul/consul.log
chown -R consul:wheel /var/log/consul

# add the consul user to the wheel group, this seems to be required for
# consul to start on this instance. May need to figure out why.
# I'm not entirely sure this is the correct way to do it
/usr/sbin/pw usermod consul -G wheel

## end consul

## start Vault

# first remove any existing vault configuration
if [ -f /usr/local/etc/vault/vault-server.hcl ]; then
    rm /usr/local/etc/vault/vault-server.hcl
fi
# then setup a fresh vault.hcl specific to the type of image

# default freebsd vault.hcl is /usr/local/etc/vault.hcl and
# the init script /usr/local/etc/rc.d/vault refers to this
# but many vault docs refer to /usr/local/etc/vault/vault-server.hcl
# or similar

# begin vault config
# we're setting a config file but not actually running the vault service
# certificate rotation is being done with a cron job
# token rotation may require the vault service

echo \"disable_mlock = true
ui = false
vault {
  address = \\\"\$VAULTSERVER:8200\\\"
  retry {
    num_retries = 5
  }
}
storage \\\"file\\\" {
  path = \\\"/mnt/vault/data\\\"
}
template {
  source = \\\"/mnt/templates/cert.tpl\\\"
  destination = \\\"/mnt/certs/cert.pem\\\"
}
template {
  source = \\\"/mnt/templates/ca.tpl\\\"
  destination = \\\"/mnt/certs/ca.pem\\\"
}
template {
  source = \\\"/mnt/templates/key.tpl\\\"
  destination = \\\"/mnt/certs/key.pem\\\"
}\" > /usr/local/etc/vault.hcl

# setup template files for certificates
echo \"{{- /* /mnt/templates/cert.tpl */ -}}
{{ with secret \\\"pki_int/issue/\$DATACENTER\\\" \\\"common_name=\$NODENAME\\\" \\\"ttl=24h\\\" \\\"alt_names=\$NODENAME\\\" \\\"ip_sans=\$IP\\\" }}
{{ .Data.certificate }}{{ end }}
\" > /mnt/templates/cert.tpl

echo \"{{- /* /mnt/templates/ca.tpl */ -}}
{{ with secret \\\"pki_int/issue/\$DATACENTER\\\" \\\"common_name=\$NODENAME\\\" }}
{{ .Data.issuing_ca }}{{ end }}
\" > /mnt/templates/ca.tpl

echo \"{{- /* /mnt/templates/key.tpl */ -}}
{{ with secret \\\"pki_int/issue/\$DATACENTER\\\" \\\"common_name=\$NODENAME\\\" \\\"ttl=24h\\\" \\\"alt_names=\$NODENAME\\\" \\\"ip_sans=\$IP\\\" }}
{{ .Data.private_key }}{{ end }}
\" > /mnt/templates/key.tpl

# set permissions on /mnt for vault data
chown -R vault:wheel /mnt/certs
chown -R vault:wheel /mnt/templates

# setup rc.conf entries
# we do not set vault_user=vault because vault will not start
# we're not starting vault as a service
sysrc vault_enable=no
sysrc vault_login_class=root
sysrc vault_syslog_output_enable=\"YES\"
sysrc vault_syslog_output_priority=\"warn\"

# retrieve CA certificates from vault leader
echo \"Retrieving CA certificates from Vault leader\"
/usr/local/bin/vault read -address=https://\$VAULTSERVER:8200 -tls-skip-verify -field=certificate pki/cert/ca > /mnt/certs/CA_cert.crt
/usr/local/bin/vault read -address=https://\$VAULTSERVER:8200 -tls-skip-verify -field=certificate pki_int/cert/ca > /mnt/certs/intermediate.cert.pem

# unwrap the pki token issued by vault leader
echo \"Unwrapping passed in token...\"
/usr/local/bin/vault unwrap -address=https://\$VAULTSERVER:8200 -ca-cert=/mnt/certs/intermediate.cert.pem -format=json \$VAULTTOKEN | /usr/local/bin/jq -r '.auth.client_token' > /root/unwrapped.token
sleep 1
if [ -s /root/unwrapped.token ]; then
    echo \"Token unwrapped\"
    THIS_TOKEN=\$(/bin/cat /root/unwrapped.token)
    echo \"Logging in to vault leader to authenticate\"
    echo \"\$THIS_TOKEN\" | /usr/local/bin/vault login -address=https://\$VAULTSERVER:8200 -ca-cert=/mnt/certs/intermediate.cert.pem -method=token -field=token token=- > /root/login.token
    sleep 5
fi

echo \"Setting certificate payload\"
if [ -s /root/login.token ]; then
    # generate certificates to use
    # using this payload.json approach to avoid nested single and double quotes for expansion
    echo \"{
\\\"common_name\\\": \\\"\$NODENAME\\\",
\\\"ttl\\\": \\\"24h\\\",
\\\"ip_sans\\\": \\\"\$IP\\\"
}\" > /mnt/templates/payload.json

    # we use curl to get the certificates in json format as the issue command only has formats: pem, pem_bundle, der
    # but no json format except via the API
    echo \"Generating certificates to use from Vault\"
    HEADER=\$(/bin/cat /root/login.token)
    /usr/local/bin/curl --cacert /mnt/certs/intermediate.cert.pem --header \"X-Vault-Token: \$HEADER\" --request POST --data @/mnt/templates/payload.json https://\$VAULTSERVER:8200/v1/pki_int/issue/\$DATACENTER > /mnt/certs/vaultissue.json

    # cli requires [], but web api does not
    #/usr/local/bin/jq -r '.data.issuing_ca[]' /mnt/certs/vaultissue.json > /mnt/certs/ca.pem
    # if [] left in for this script, you will get error: Cannot iterate over string
    /usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json > /mnt/certs/ca.pem
    # syslog-ng wants ca file in a directory, so copy CA file to there too - not currently in use
    cp -f /mnt/certs/ca.pem /mnt/certs/localca/ca.pem
    /usr/local/bin/jq -r '.data.certificate' /mnt/certs/vaultissue.json > /mnt/certs/cert.pem
    /usr/local/bin/jq -r '.data.private_key' /mnt/certs/vaultissue.json > /mnt/certs/key.pem

    # set permissions on /mnt/certs for vault
    chown -R vault:wheel /mnt/certs

    # removing as not sure vault service needs to be running here
    # start vault
    #echo \"Starting Vault Agent\"
    #/usr/local/etc/rc.d/vault start

    # start consul agent
    /usr/local/etc/rc.d/consul start

    # setup certificate rotation script
    echo \"#!/bin/sh
if [ -s /root/login.token ]; then
    LOGINTOKEN=\\\$(/bin/cat /root/login.token)
    HEADER=\\\$(echo \\\"X-Vault-Token: \\\"\\\$LOGINTOKEN)
    /usr/local/bin/curl -k --header \\\"\\\$HEADER\\\" --request POST --data @/mnt/templates/payload.json https://\$VAULTSERVER:8200/v1/pki_int/issue/\$DATACENTER > /mnt/certs/vaultissue.json
    /usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json > /mnt/certs/ca.pem
    # syslog-ng wants ca file in a directory, so copy CA file to there too - not currently in use
    cp -f /mnt/certs/ca.pem /mnt/certs/localca/ca.pem
    /usr/local/bin/jq -r '.data.certificate' /mnt/certs/vaultissue.json > /mnt/certs/cert.pem
    /usr/local/bin/jq -r '.data.private_key' /mnt/certs/vaultissue.json > /mnt/certs/key.pem
    # set permissions on /mnt/certs for vault
    chown -R vault:wheel /mnt/certs
    # restart services
    /usr/local/etc/rc.d/consul restart
    /usr/local/etc/rc.d/syslog-ng restart
    /usr/local/etc/rc.d/grafana restart
else
    echo "/root/login.token does not contain a token. Certificates cannot be renewed."
fi
\" > /root/rotate-certs.sh

    if [ -f /root/rotate-certs.sh ]; then
        # make executable
        chmod +x /root/rotate-certs.sh
        # add a crontab entry for every hour
        echo \"0 * * * * root /root/rotate-certs.sh >> /mnt/rotate-cert.log 2>&1\" >> /etc/crontab
    fi
else
    echo \"ERROR: There was a problem logging into vault and no certificates were retrieved. Vault not started.\"
fi

# setup syslog-ng
# optional remote logging
if [ ! -z \$REMOTELOG ] && [ \$REMOTELOG != \"null\" ]; then
    if [ -f /root/syslog-ng.conf ]; then
        /usr/bin/sed -i .orig \"s/REMOTELOGIP/\$REMOTELOG/g\" /root/syslog-ng.conf
        cp -f /root/syslog-ng.conf /usr/local/etc/syslog-ng.conf
        # stop syslogd
        service syslogd onestop || true
        # setup sysrc entries to start and set parameters to accept logs from remote subnet
        sysrc syslogd_enable=\"NO\"
        sysrc syslog_ng_enable=\"YES\"
        #sysrc syslog_ng_flags=\"-u daemon\"
        sysrc syslog_ng_flags=\"-R /tmp/syslog-ng.persist\"
        /usr/local/etc/rc.d/syslog-ng start
        echo \"syslog-ng setup complete\"
    else
        echo \"/root/syslog-ng.conf is missing?\"
    fi
else
    echo \"REMOTELOG parameter is not set to an IP address. syslog-ng won't operate.\"
fi


## start node_exporter config
# node exporter needs tls setup
echo \"tls_server_config:
  cert_file: /mnt/certs/cert.pem
  key_file: /mnt/certs/key.pem
\" > /usr/local/etc/node-exporter.yml

# enable node_exporter service
sysrc node_exporter_enable=\"YES\"
sysrc node_exporter_args=\"--web.config=/usr/local/etc/node-exporter.yml\"
## end node_exporter config

## start grafana config
# we're mounting in a blank-or-filled ZFS dataset from root system at
# zroot/prometheusdata to /mnt

# if /mnt/grafana is empty, copy in /var/db/grafana

if [ ! -d /mnt/grafana ]; then
    # if empty we need to copy in the directory structure from install
    cp -a /var/db/grafana /mnt

    # make sure permissions are good for /mnt/grafana
    chown -R grafana:grafana /mnt/grafana

    # overwrite the rc file with a fixed one as per
    # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255676
    if [ -f /root/grafana.rc ]; then
        echo "replacing grafana rc file with freebsd-fixed one"
        cp -f /root/grafana.rc /usr/local/etc/rc.d/grafana
        chmod 755 /usr/local/etc/rc.d/grafana
        # this seems to be required, grafana still crashes without it
        chmod 755 /root
    else
        echo \"ERROR - no /root/grafana.rc file\"
    fi

    # copy in the datasource.yml file to /mnt/grafana/provisioning/datasources
    if [ -f /root/datasources.yml ]; then
        /usr/bin/sed -i .orig \"s/MYPROMHOST/\$PROMSOURCE/g\" /root/datasources.yml
        /usr/bin/sed -i .orig \"s/MYLOKIHOST/\$LOKISOURCE/g\" /root/datasources.yml
        /usr/bin/sed -i .orig \"s/MYINFLUXHOST/\$INFLUXDBSOURCE/g\" /root/datasources.yml
        /usr/bin/sed -i .orig \"s/INFLUXDATABASE/\$INFLUXDBSOURCE/g\" /root/datasources.yml
        cp -f /root/datasources.yml /mnt/grafana/provisioning/datasources/datasources.yml
        chown grafana:grafana /mnt/grafana/provisioning/datasources/datasources.yml
    else
        echo \"ERROR - NO DATASOURCE CONFIG FILE FOUND\"
    fi

    # copy in the dashboard.yml file to /mnt/grafana/provisioning/dashboards
    if [ -f /root/dashboard.yml ]; then
        cp -f /root/dashboard.yml /mnt/grafana/provisioning/dashboards/default.yml
        chown grafana:grafana /mnt/grafana/provisioning/dashboards/default.yml
    else
        echo \"ERROR - NO DASHBOARD DEFAULT CONFIG FILE FOUND\"
    fi
    # include the relevant .json for actual dashboard as follows
    # using https://raw.githubusercontent.com/rfrail3/grafana-dashboards/master/prometheus/node-exporter-freebsd.json
    # as source dashboard json for demo purposes
    if [ -f /root/home.json ]; then
        cp -f /root/home.json /mnt/grafana/provisioning/dashboards/home.json
        chown grafana:grafana /mnt/grafana/provisioning/dashboards/home.json
    else
        echo \"ERROR - could not find home.json to copy in as default dashboard\"
    fi
    if [ -f /root/homelogs.json ]; then
        cp -f /root/homelogs.json /mnt/grafana/provisioning/dashboards/homelogs.json
        chown grafana:grafana /mnt/grafana/provisioning/dashboards/homelogs.json
    else
        echo \"Error - could not find home.json to copy in as default dashboard\"
    fi
else
    # if /mnt/grafana exists then don't copy in /var/db/grafana
    # make sure permissions are good for /mnt/grafana
    chown -R grafana:grafana /mnt/grafana

    # overwrite the rc file with a fixed one as per
    # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255676
    if [ -f /root/grafana.rc ]; then
        echo "replacing grafana rc file with freebsd-fixed one"
        cp -f /root/grafana.rc /usr/local/etc/rc.d/grafana
        chmod 755 /usr/local/etc/rc.d/grafana
        # this seems to be required, grafana still crashes without it
        chmod 755 /root
    else
        echo \"ERROR - no /root/grafana.rc file\"
    fi

    # copy in the datasource.yml file to /mnt/grafana/provisioning/datasources
    if [ -f /root/datasources.yml ]; then
        /usr/bin/sed -i .orig \"s/MYPROMHOST/\$PROMSOURCE/g\" /root/datasources.yml
        /usr/bin/sed -i .orig \"s/MYLOKIHOST/\$LOKISOURCE/g\" /root/datasources.yml
        /usr/bin/sed -i .orig \"s/MYINFLUXHOST/\$INFLUXDBSOURCE/g\" /root/datasources.yml
        /usr/bin/sed -i .orig \"s/INFLUXDATABASE/\$INFLUXDBSOURCE/g\" /root/datasources.yml
        cp -f /root/datasources.yml /mnt/grafana/provisioning/datasources/datasources.yml
        chown grafana:grafana /mnt/grafana/provisioning/datasources/datasources.yml
    else
        echo \"ERROR - NO DATASOURCE CONFIG FILE FOUND\"
    fi

    # copy in the dashboard.yml file to /mnt/grafana/provisioning/dashboards
    if [ -f /root/dashboard.yml ]; then
        cp -f /root/dashboard.yml /mnt/grafana/provisioning/dashboards/default.yml
        chown grafana:grafana /mnt/grafana/provisioning/dashboards/default.yml
    else
        echo \"ERROR - NO DASHBOARD DEFAULT CONFIG FILE FOUND\"
    fi
    # include the relevant .json for actual dashboard as follows
    # home.json is generated from
    # 1. https://raw.githubusercontent.com/rfrail3/grafana-dashboards/master/prometheus/node-exporter-freebsd.json
    # 2. fixed with header bits from https://grafana.com/api/dashboards/13978/revisions/1/download
    # as source dashboard
    if [ -f /root/home.json ]; then
        cp -f /root/home.json /mnt/grafana/provisioning/dashboards/home.json
        chown grafana:grafana /mnt/grafana/provisioning/dashboards/home.json
    else
        echo \"ERROR - could not find home.json to copy in as default dashboard\"
    fi
    if [ -f /root/homelogs.json ]; then
        cp -f /root/homelogs.json /mnt/grafana/provisioning/dashboards/homelogs.json
        chown grafana:grafana /mnt/grafana/provisioning/dashboards/homelogs.json
    else
        echo \"ERROR - could not find home.json to copy in as default dashboard\"
    fi
fi

# local edits for grafana.conf here
# the mount path for some options is set to /mnt/grafana/...
if [ -f /root/grafana.conf ]; then
    /usr/bin/sed -i .orig \"s/MYGRAFANAUSER/\$GRAFANAUSER/g\" /root/grafana.conf
    /usr/bin/sed -i .orig \"s/MYGRAFANAPASSWORD/\$GRAFANAPASSWORD/g\" /root/grafana.conf
    cp -f /root/grafana.conf /usr/local/etc/grafana.conf
    # enable grafana service
    sysrc grafana_enable=\"YES\"
    sysrc grafana_config=\"/usr/local/etc/grafana.conf\"
    sysrc grafana_user=\"grafana\"
    sysrc grafana_group=\"grafana\"
    sysrc grafana_syslog_output_enable=\"YES\"
    # start grafana
    /usr/local/etc/rc.d/grafana start
else
    echo \"ERROR - there is no /root/grafana.conf file. Grafana not started\"
fi

## end grafana config

#
# ADJUST THIS: START THE SERVICES AGAIN AFTER CONFIGURATION

# start node_exporter
/usr/local/etc/rc.d/node_exporter start

#
# Do not touch this:
touch /usr/local/etc/pot-is-seasoned

# If this pot flavour is blocking (i.e. it should not return), there is no /tmp/environment.sh
# created by pot and we now after configuration block indefinitely
if [ \"\$RUNS_IN_NOMAD\" = \"true\" ]
then
    /bin/sh /etc/rc
    tail -f /dev/null
fi
" > /usr/local/bin/cook

# ----------------- END COOK ------------------


# ---------- NO NEED TO EDIT BELOW ------------

step "Make cook script executable"
if [ -e /usr/local/bin/cook ]
then
    echo "setting executable bit on /usr/local/bin/cook" | tee -a $COOKLOG
    chmod u+x /usr/local/bin/cook
else
    exit_error "there is no /usr/local/bin/cook to make executable"
fi

#
# There are two ways of running a pot jail: "Normal", non-blocking mode and
# "Nomad", i.e. blocking mode (the pot start command does not return until
# the jail is stopped).
# For the normal mode, we create a /usr/local/etc/rc.d script that starts
# the "cook" script generated above each time, for the "Nomad" mode, the cook
# script is started by pot (configuration through flavour file), therefore
# we do not need to do anything here.
#

# Create rc.d script for "normal" mode:
step "Create rc.d script to start cook"
echo "creating rc.d script to start cook" | tee -a $COOKLOG

echo "#!/bin/sh
#
# PROVIDE: cook
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
. /etc/rc.subr
name=\"cook\"
rcvar=\"cook_enable\"
load_rc_config \$name
: \${cook_enable:=\"NO\"}
: \${cook_env:=\"\"}
command=\"/usr/local/bin/cook\"
command_args=\"\"
run_rc_command \"\$1\"
" > /usr/local/etc/rc.d/cook

step "Make rc.d script to start cook executable"
if [ -e /usr/local/etc/rc.d/cook ]
then
  echo "Setting executable bit on cook rc file" | tee -a $COOKLOG
  chmod u+x /usr/local/etc/rc.d/cook
else
  exit_error "/usr/local/etc/rc.d/cook does not exist"
fi

if [ "$RUNS_IN_NOMAD" != "true" ]
then
  step "Enable cook service"
  # This is a non-nomad (non-blocking) jail, so we need to make sure the script
  # gets started when the jail is started:
  # Otherwise, /usr/local/bin/cook will be set as start script by the pot flavour
  echo "enabling cook" | tee -a $COOKLOG
  service cook enable
fi

# -------------------- DONE ---------------
exit_ok

grafana/grafana+1:
grafana/grafana+1.sh:

grafana/grafana+2:
grafana/grafana+2.sh:

grafana/grafana+3:
grafana/grafana+3.sh:

grafana/grafana+4:
grafana/grafana+4.sh:
Password:===>  Creating a new pot
===>  pot name : grafana-amd64-13_0
===>  type : single
===>  base : 13.0
===>  pot_base :
===>  level : 0
===>  network-type : public-bridge
===>  network-stack: ipv4
===>  ip : 10.192.0.3
===>  bridge :
===>  dns : inherit
===>  flavours : fbsd-update grafana grafana+1 grafana+2 grafana+3 grafana+4
===>  Fetching FreeBSD 13.0
===>  Extract the tarball
=====>  Flavour: fbsd-update
=====>  Starting grafana-amd64-13_0 pot for the initial bootstrap
=====>  mount /mnt/data/pot/jails/grafana-amd64-13_0/m/tmp
defaultrouter: NO -> 10.192.0.1
===>  Starting the pot grafana-amd64-13_0
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
	inet 127.0.0.1 netmask 0xff000000
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:aa:cc:bd:8b:0b
	inet 10.192.0.3 netmask 0xffc00000 broadcast 10.255.255.255
	groups: epair
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Updating /var/run/os-release done.
Creating and/or trimming log files.
Clearing /tmp (X related).
Updating motd:.
Starting syslogd.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.

Wed Jul 28 19:07:58 UTC 2021
/usr/local/etc/pot/flavours/fbsd-update.sh -> /mnt/data/pot/jails/grafana-amd64-13_0/m/tmp/fbsd-update.sh
=====>  Executing fbsd-update script on grafana-amd64-13_0
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching public key from update1.freebsd.org... done.
Fetching metadata signature for 13.0-RELEASE from update1.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata files... done.
Inspecting system... done.
Preparing to download files... done.
Fetching 6 patches.... done.
Applying patches... done.
Fetching 6 files... ... done.
The following files will be added as part of updating to
13.0-RELEASE-p3:
/usr/include/c++/v1/barrier
/usr/include/c++/v1/concepts
/usr/include/c++/v1/execution
/usr/include/c++/v1/latch
/usr/include/c++/v1/numbers
/usr/include/c++/v1/semaphore
/usr/include/c++/v1/tr1/barrier
/usr/include/c++/v1/tr1/concepts
/usr/include/c++/v1/tr1/execution
/usr/include/c++/v1/tr1/latch
/usr/include/c++/v1/tr1/numbers
/usr/include/c++/v1/tr1/semaphore
The following files will be updated as part of updating to
13.0-RELEASE-p3:
/bin/freebsd-version
/lib/libcasper.so.1
/usr/bin/bc
/usr/bin/dc
/usr/lib/libradius.a
/usr/lib/libradius.so.4
/usr/lib/libradius_p.a
Installing updates...Scanning //usr/share/certs/blacklisted for certificates...
Scanning //usr/share/certs/trusted for certificates...
 done.
=====>  Stop the pot grafana-amd64-13_0
=====>  Remove epair0[a|b] network interfaces
=====>  unmount /mnt/data/pot/jails/grafana-amd64-13_0/m/tmp
=====>  unmount /mnt/data/pot/jails/grafana-amd64-13_0/m/dev
=====>  Flavour: grafana
=====>  Executing grafana pot commands on grafana-amd64-13_0
=====>  mount /mnt/data/pot/jails/grafana-amd64-13_0/m/tmp
/usr/local/etc/pot/flavours/grafana.d/datasources.yml -> /mnt/data/pot/jails/grafana-amd64-13_0/m/root/datasources.yml
=====>  Source /usr/local/etc/pot/flavours/grafana.d/datasources.yml copied in the pot grafana-amd64-13_0
=====>  unmount /mnt/data/pot/jails/grafana-amd64-13_0/m/tmp
=====>  /mnt/data/pot/jails/grafana-amd64-13_0/m/dev is already unmounted
=====>  mount /mnt/data/pot/jails/grafana-amd64-13_0/m/tmp
/usr/local/etc/pot/flavours/grafana.d/dashboard.yml -> /mnt/data/pot/jails/grafana-amd64-13_0/m/root/dashboard.yml
=====>  Source /usr/local/etc/pot/flavours/grafana.d/dashboard.yml copied in the pot grafana-amd64-13_0
=====>  unmount /mnt/data/pot/jails/grafana-amd64-13_0/m/tmp
=====>  /mnt/data/pot/jails/grafana-amd64-13_0/m/dev is already unmounted
=====>  mount /mnt/data/pot/jails/grafana-amd64-13_0/m/tmp
/usr/local/etc/pot/flavours/grafana.d/grafana.conf -> /mnt/data/pot/jails/grafana-amd64-13_0/m/root/grafana.conf
=====>  Source /usr/local/etc/pot/flavours/grafana.d/grafana.conf copied in the pot grafana-amd64-13_0
=====>  unmount /mnt/data/pot/jails/grafana-amd64-13_0/m/tmp
=====>  /mnt/data/pot/jails/grafana-amd64-13_0/m/dev is already unmounted
=====>  mount /mnt/data/pot/jails/grafana-amd64-13_0/m/tmp
/usr/local/etc/pot/flavours/grafana.d/grafana.rc -> /mnt/data/pot/jails/grafana-amd64-13_0/m/root/grafana.rc
=====>  Source /usr/local/etc/pot/flavours/grafana.d/grafana.rc copied in the pot grafana-amd64-13_0
=====>  unmount /mnt/data/pot/jails/grafana-amd64-13_0/m/tmp
=====>  /mnt/data/pot/jails/grafana-amd64-13_0/m/dev is already unmounted
=====>  mount /mnt/data/pot/jails/grafana-amd64-13_0/m/tmp
/usr/local/etc/pot/flavours/grafana.d/home.json -> /mnt/data/pot/jails/grafana-amd64-13_0/m/root/home.json
=====>  Source /usr/local/etc/pot/flavours/grafana.d/home.json copied in the pot grafana-amd64-13_0
=====>  unmount /mnt/data/pot/jails/grafana-amd64-13_0/m/tmp
=====>  /mnt/data/pot/jails/grafana-amd64-13_0/m/dev is already unmounted
=====>  mount /mnt/data/pot/jails/grafana-amd64-13_0/m/tmp
/usr/local/etc/pot/flavours/grafana.d/homelogs.json -> /mnt/data/pot/jails/grafana-amd64-13_0/m/root/homelogs.json
=====>  Source /usr/local/etc/pot/flavours/grafana.d/homelogs.json copied in the pot grafana-amd64-13_0
=====>  unmount /mnt/data/pot/jails/grafana-amd64-13_0/m/tmp
=====>  /mnt/data/pot/jails/grafana-amd64-13_0/m/dev is already unmounted
=====>  mount /mnt/data/pot/jails/grafana-amd64-13_0/m/tmp
/usr/local/etc/pot/flavours/grafana.d/syslog-ng.conf -> /mnt/data/pot/jails/grafana-amd64-13_0/m/root/syslog-ng.conf
=====>  Source /usr/local/etc/pot/flavours/grafana.d/syslog-ng.conf copied in the pot grafana-amd64-13_0
=====>  unmount /mnt/data/pot/jails/grafana-amd64-13_0/m/tmp
=====>  /mnt/data/pot/jails/grafana-amd64-13_0/m/dev is already unmounted
=====>  Starting grafana-amd64-13_0 pot for the initial bootstrap
=====>  mount /mnt/data/pot/jails/grafana-amd64-13_0/m/tmp
defaultrouter: 10.192.0.1 -> 10.192.0.1
===>  Starting the pot grafana-amd64-13_0
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
	inet 127.0.0.1 netmask 0xff000000
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:9e:bc:ba:0d:0b
	inet 10.192.0.3 netmask 0xffc00000 broadcast 10.255.255.255
	groups: epair
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Updating /var/run/os-release done.
Creating and/or trimming log files.
Clearing /tmp (X related).
Updating motd:.
Starting syslogd.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.

Wed Jul 28 19:08:14 UTC 2021
/usr/local/etc/pot/flavours/grafana.sh -> /mnt/data/pot/jails/grafana-amd64-13_0/m/tmp/grafana.sh
=====>  Executing grafana script on grafana-amd64-13_0
Creating /var/log/cook.log
Step 1: Bootstrap package repo
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] Installing pkg-1.16.3...
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] Extracting pkg-1.16.3: .......... done
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:13:amd64/quarterly, please wait...
Step 2: Touch /etc/rc.conf
Step 3: Remove ifconfig_epair0b from config
Step 4: Disable sendmail
sendmail disabled in /etc/rc.conf
sendmail_submit disabled in /etc/rc.conf
sendmail_msp_queue disabled in /etc/rc.conf
Step 5: Create /usr/local/etc/rc.d
Step 6: Install package consul
Updating FreeBSD repository catalogue...
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] Fetching meta.conf: . done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] Fetching packagesite.txz: .......... done
Processing entries: .......... done
FreeBSD repository update completed. 30734 packages processed.
All repositories are up to date.
Updating database digests format: . done
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	consul: 1.9.5

Number of packages to be installed: 1

The process will require 78 MiB more space.
27 MiB to be downloaded.
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching consul-1.9.5.txz: .......... done
Checking integrity... done (0 conflicting)
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Installing consul-1.9.5...
===> Creating groups.
Creating group 'consul' with gid '469'.
===> Creating users
Creating user 'consul' with uid '469'.
===> Creating homedir(s)
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting consul-1.9.5: ..... done
Step 7: Install package node_exporter
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	node_exporter: 1.1.2

Number of packages to be installed: 1

The process will require 11 MiB more space.
3 MiB to be downloaded.
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching node_exporter-1.1.2.txz: .......... done
Checking integrity... done (0 conflicting)
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Installing node_exporter-1.1.2...
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting node_exporter-1.1.2: .......... done
=====
Message from node_exporter-1.1.2:

--
If upgrading from a version of node_exporter <0.15.0 you'll need to update any
custom command line flags that you may have set as it now requires a
double-dash (--flag) instead of a single dash (-flag).
The collector flags in 0.15.0 have now been replaced with individual boolean
flags and the -collector.procfs` and -collector.sysfs` flags have been renamed
to --path.procfs and --path.sysfs respectively.
Step 8: Install package grafana7
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	ca_root_nss: 3.63
	grafana7: 7.5.6

Number of packages to be installed: 2

The process will require 157 MiB more space.
33 MiB to be downloaded.
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/2] Fetching grafana7-7.5.6.txz: .......... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/2] Fetching ca_root_nss-3.63.txz: .......... done
Checking integrity... done (0 conflicting)
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/2] Installing ca_root_nss-3.63...
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/2] Extracting ca_root_nss-3.63: ........ done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/2] Installing grafana7-7.5.6...
===> Creating groups.
Creating group 'grafana' with gid '904'.
===> Creating users
Creating user 'grafana' with uid '904'.
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/2] Extracting grafana7-7.5.6: .......... done
=====
Message from ca_root_nss-3.63:

--
FreeBSD does not, and can not warrant that the certification authorities
whose certificates are included in this package have in any way been
audited for trustworthiness or RFC 3647 compliance.

Assessment and verification of trust is the complete responsibility of the
system administrator.


This package installs symlinks to support root certificates discovery by
default for software that uses OpenSSL.

This enables SSL Certificate Verification by client software without manual
intervention.

If you prefer to do this manually, replace the following symlinks with
either an empty file or your site-local certificate bundle.

  * /etc/ssl/cert.pem
  * /usr/local/etc/ssl/cert.pem
  * /usr/local/openssl/cert.pem
Step 9: Install package sudo
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	gettext-runtime: 0.21
	indexinfo: 0.3.1
	sudo: 1.9.7p1

Number of packages to be installed: 3

The process will require 7 MiB more space.
2 MiB to be downloaded.
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/3] Fetching sudo-1.9.7p1.txz: .......... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/3] Fetching gettext-runtime-0.21.txz: .......... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [3/3] Fetching indexinfo-0.3.1.txz: . done
Checking integrity... done (0 conflicting)
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/3] Installing indexinfo-0.3.1...
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/3] Extracting indexinfo-0.3.1: .... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/3] Installing gettext-runtime-0.21...
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/3] Extracting gettext-runtime-0.21: .......... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [3/3] Installing sudo-1.9.7p1...
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [3/3] Extracting sudo-1.9.7p1: .......... done
Step 10: Install package curl
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	curl: 7.77.0
	libnghttp2: 1.43.0

Number of packages to be installed: 2

The process will require 5 MiB more space.
1 MiB to be downloaded.
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/2] Fetching curl-7.77.0.txz: .......... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/2] Fetching libnghttp2-1.43.0.txz: .......... done
Checking integrity... done (0 conflicting)
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/2] Installing libnghttp2-1.43.0...
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/2] Extracting libnghttp2-1.43.0: .......... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/2] Installing curl-7.77.0...
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/2] Extracting curl-7.77.0: .......... done
Step 11: Install package jq
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	jq: 1.6
	oniguruma: 6.9.7.1

Number of packages to be installed: 2

The process will require 2 MiB more space.
500 KiB to be downloaded.
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/2] Fetching jq-1.6.txz: .......... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/2] Fetching oniguruma-6.9.7.1.txz: .......... done
Checking integrity... done (0 conflicting)
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/2] Installing oniguruma-6.9.7.1...
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/2] Extracting oniguruma-6.9.7.1: .......... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/2] Installing jq-1.6...
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/2] Extracting jq-1.6: .......... done
Step 12: Install package syslog-ng
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 11 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	e2fsprogs-libuuid: 1.46.2
	glib: 2.66.8,2
	json-c: 0.15_1
	libffi: 3.3_1
	libiconv: 1.16
	libxml2: 2.9.12
	mpdecimal: 2.5.1
	pcre: 8.44
	python38: 3.8.10
	readline: 8.1.1
	syslog-ng: 3.32.1

Number of packages to be installed: 11

The process will require 160 MiB more space.
24 MiB to be downloaded.
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/11] Fetching syslog-ng-3.32.1.txz: .......... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/11] Fetching e2fsprogs-libuuid-1.46.2.txz: ..... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [3/11] Fetching pcre-8.44.txz: .......... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [4/11] Fetching json-c-0.15_1.txz: ........ done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [5/11] Fetching glib-2.66.8,2.txz: .......... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [6/11] Fetching libxml2-2.9.12.txz: .......... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [7/11] Fetching python38-3.8.10.txz: .......... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [8/11] Fetching mpdecimal-2.5.1.txz: .......... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [9/11] Fetching readline-8.1.1.txz: .......... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [10/11] Fetching libffi-3.3_1.txz: ..... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [11/11] Fetching libiconv-1.16.txz: .......... done
Checking integrity... done (0 conflicting)
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/11] Installing mpdecimal-2.5.1...
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/11] Extracting mpdecimal-2.5.1: .......... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/11] Installing readline-8.1.1...
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/11] Extracting readline-8.1.1: .......... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [3/11] Installing libffi-3.3_1...
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [3/11] Extracting libffi-3.3_1: .......... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [4/11] Installing pcre-8.44...
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [4/11] Extracting pcre-8.44: .......... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [5/11] Installing libxml2-2.9.12...
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [5/11] Extracting libxml2-2.9.12: .......... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [6/11] Installing python38-3.8.10...
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [6/11] Extracting python38-3.8.10: .......... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [7/11] Installing libiconv-1.16...
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [7/11] Extracting libiconv-1.16: .......... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [8/11] Installing e2fsprogs-libuuid-1.46.2...
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [8/11] Extracting e2fsprogs-libuuid-1.46.2: .......... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [9/11] Installing json-c-0.15_1...
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [9/11] Extracting json-c-0.15_1: .......... done
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [10/11] Installing glib-2.66.8,2...
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [10/11] Extracting glib-2.66.8,2: .......... done
No schema files found: doing nothing.
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [11/11] Installing syslog-ng-3.32.1...
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [11/11] Extracting syslog-ng-3.32.1: .......... done
=====
Message from python38-3.8.10:

--
Note that some standard Python modules are provided as separate ports
as they require additional dependencies. They are available as:

py38-gdbm       databases/py-gdbm@py38
py38-sqlite3    databases/py-sqlite3@py38
py38-tkinter    x11-toolkits/py-tkinter@py38
=====
Message from syslog-ng-3.32.1:

--
syslog-ng is now installed!  To replace FreeBSD's standard syslogd
(/usr/sbin/syslogd), complete these steps:

1. Create a configuration file named /usr/local/etc/syslog-ng.conf
   (a sample named syslog-ng.conf.sample has been included in
   /usr/local/etc). Note that this is a change in 2.0.2
   version, previous ones put the config file in
   /usr/local/etc/syslog-ng/syslog-ng.conf, so if this is an update
   move that file in the right place

2. Configure syslog-ng to start automatically by adding the following
   to /etc/rc.conf:

        syslog_ng_enable="YES"

3. Prevent the standard FreeBSD syslogd from starting automatically by
   adding a line to the end of your /etc/rc.conf file that reads:

        syslogd_enable="NO"

4. Shut down the standard FreeBSD syslogd:

     kill `cat /var/run/syslog.pid`

5. Start syslog-ng:

     /usr/local/etc/rc.d/syslog-ng start
Step 13: Install package vault
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	vault: 1.7.3

Number of packages to be installed: 1

The process will require 149 MiB more space.
49 MiB to be downloaded.
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching vault-1.7.3.txz: .......... done
Checking integrity... done (0 conflicting)
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Installing vault-1.7.3...
===> Creating groups.
Creating group 'vault' with gid '471'.
===> Creating users
Creating user 'vault' with uid '471'.
[grafana-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting vault-1.7.3: ..... done
=====
Message from vault-1.7.3:

--
The vault user created by the vault package is now a member of the daemon
class, which will allow it to use mlock() when started by the rc script. This
will not be reflected in systems where the user already exists. Please add the
vault user to the daemon class manually by running:

pw usermod -L daemon -n vault

or delete the user and reinstall the package.

You may also need to increase memorylocked for the daemon class in
/etc/login.conf to 1024M or more and run:

cap_mkdb /etc/login.conf

Or to disable mlock, add:

disable_mlock = 1

to /usr/local/etc/vault.hcl
Step 14: Clean package installation
The following package files will be deleted:
	/var/cache/pkg/python38-3.8.10.txz
	/var/cache/pkg/sudo-1.9.7p1.txz
	/var/cache/pkg/libxml2-2.9.12~808886ae95.txz
	/var/cache/pkg/consul-1.9.5.txz
	/var/cache/pkg/pcre-8.44~18fdb314f8.txz
	/var/cache/pkg/ca_root_nss-3.63~2e4dafd35f.txz
	/var/cache/pkg/vault-1.7.3~e104fea0c0.txz
	/var/cache/pkg/sudo-1.9.7p1~f275c1822e.txz
	/var/cache/pkg/node_exporter-1.1.2~fc91952053.txz
	/var/cache/pkg/libnghttp2-1.43.0.txz
	/var/cache/pkg/vault-1.7.3.txz
	/var/cache/pkg/libffi-3.3_1~ceb6b0f52a.txz
	/var/cache/pkg/pcre-8.44.txz
	/var/cache/pkg/libiconv-1.16.txz
	/var/cache/pkg/libiconv-1.16~58a485ac67.txz
	/var/cache/pkg/grafana7-7.5.6~51be665b20.txz
	/var/cache/pkg/gettext-runtime-0.21.txz
	/var/cache/pkg/e2fsprogs-libuuid-1.46.2.txz
	/var/cache/pkg/gettext-runtime-0.21~051ad548f7.txz
	/var/cache/pkg/jq-1.6.txz
	/var/cache/pkg/libxml2-2.9.12.txz
	/var/cache/pkg/json-c-0.15_1~c9e6e8b4e3.txz
	/var/cache/pkg/oniguruma-6.9.7.1~992ea8fca0.txz
	/var/cache/pkg/indexinfo-0.3.1.txz
	/var/cache/pkg/readline-8.1.1~f705aeb15c.txz
	/var/cache/pkg/mpdecimal-2.5.1.txz
	/var/cache/pkg/consul-1.9.5~bde1e68fea.txz
	/var/cache/pkg/libffi-3.3_1.txz
	/var/cache/pkg/readline-8.1.1.txz
	/var/cache/pkg/curl-7.77.0.txz
	/var/cache/pkg/python38-3.8.10~779ca296e6.txz
	/var/cache/pkg/glib-2.66.8,2~9873f41b28.txz
	/var/cache/pkg/indexinfo-0.3.1~d4818e637c.txz
	/var/cache/pkg/glib-2.66.8,2.txz
	/var/cache/pkg/oniguruma-6.9.7.1.txz
	/var/cache/pkg/curl-7.77.0~b352d1e3c3.txz
	/var/cache/pkg/node_exporter-1.1.2.txz
	/var/cache/pkg/syslog-ng-3.32.1~6053da93ff.txz
	/var/cache/pkg/mpdecimal-2.5.1~6a1530aa63.txz
	/var/cache/pkg/ca_root_nss-3.63.txz
	/var/cache/pkg/syslog-ng-3.32.1.txz
	/var/cache/pkg/libnghttp2-1.43.0~e01ce95679.txz
	/var/cache/pkg/e2fsprogs-libuuid-1.46.2~ba64737474.txz
	/var/cache/pkg/jq-1.6~48e58e6577.txz
	/var/cache/pkg/grafana7-7.5.6.txz
	/var/cache/pkg/json-c-0.15_1.txz
The cleanup will free 139 MiB
Deleting files: .......... done
All done
Step 15: Remove pre-existing cook script (if any)
Step 16: Create cook script
Step 17: Make cook script executable
setting executable bit on /usr/local/bin/cook
Step 18: Create rc.d script to start cook
creating rc.d script to start cook
Step 19: Make rc.d script to start cook executable
Setting executable bit on cook rc file
Step 20: Enable cook service
enabling cook
cook enabled in /etc/rc.conf
=====>  Stop the pot grafana-amd64-13_0
=====>  Remove epair0[a|b] network interfaces
=====>  unmount /mnt/data/pot/jails/grafana-amd64-13_0/m/tmp
=====>  unmount /mnt/data/pot/jails/grafana-amd64-13_0/m/dev
=====>  Flavour: grafana+1
=====>  Executing grafana+1 pot commands on grafana-amd64-13_0
=====>  No shell script available for the flavour grafana+1
=====>  Flavour: grafana+2
=====>  Executing grafana+2 pot commands on grafana-amd64-13_0
=====>  No shell script available for the flavour grafana+2
=====>  Flavour: grafana+3
=====>  Executing grafana+3 pot commands on grafana-amd64-13_0
=====>  No shell script available for the flavour grafana+3
=====>  Flavour: grafana+4
=====>  Executing grafana+4 pot commands on grafana-amd64-13_0
=====>  No shell script available for the flavour grafana+4

grafana-amd64-12_2_0.0.10:


grafana/grafana:
copy-in -s /usr/local/etc/pot/flavours/grafana.d/datasources.yml -d /root
copy-in -s /usr/local/etc/pot/flavours/grafana.d/dashboard.yml -d /root
copy-in -s /usr/local/etc/pot/flavours/grafana.d/grafana.conf -d /root
copy-in -s /usr/local/etc/pot/flavours/grafana.d/grafana.rc -d /root
copy-in -s /usr/local/etc/pot/flavours/grafana.d/home.json -d /root
copy-in -s /usr/local/etc/pot/flavours/grafana.d/homelogs.json -d /root
copy-in -s /usr/local/etc/pot/flavours/grafana.d/syslog-ng.conf -d /root
set-attribute -A start-at-boot -V YES
grafana/grafana.sh:
#!/bin/sh

# Based on POTLUCK TEMPLATE v3.0
# Altered by Michael Gmelin
#
# EDIT THE FOLLOWING FOR NEW FLAVOUR:
# 1. RUNS_IN_NOMAD - true or false
# 2. If RUNS_IN_NOMAD is false, can delete the <flavour>+4 file, else
#    make sure pot create command doesn't include it
# 3. Create a matching <flavour> file with this <flavour>.sh file that
#    contains the copy-in commands for the config files from <flavour>.d/
#    Remember that the package directories don't exist yet, so likely copy
#    to /root
# 4. Adjust package installation between BEGIN & END PACKAGE SETUP
# 5. Adjust jail configuration script generation between BEGIN & END COOK
#    Configure the config files that have been copied in where necessary

# Set this to true if this jail flavour is to be created as a nomad (i.e. blocking) jail.
# You can then query it in the cook script generation below and the script is installed
# appropriately at the end of this script
RUNS_IN_NOMAD=false

# set the cook log path/filename
COOKLOG=/var/log/cook.log

# check if cooklog exists, create it if not
if [ ! -e $COOKLOG ]
then
    echo "Creating $COOKLOG" | tee -a $COOKLOG
else
    echo "WARNING $COOKLOG already exists"  | tee -a $COOKLOG
fi
date >> $COOKLOG

# -------------------- COMMON ---------------

STEPCOUNT=0
step() {
  STEPCOUNT=$(expr "$STEPCOUNT" + 1)
  STEP="$@"
  echo "Step $STEPCOUNT: $STEP" | tee -a $COOKLOG
}

exit_ok() {
  trap - EXIT
  exit 0
}

FAILED=" failed"
exit_error() {
  STEP="$@"
  FAILED=""
  exit 1
}

set -e
trap 'echo ERROR: $STEP$FAILED | (>&2 tee -a $COOKLOG)' EXIT

# -------------- BEGIN PACKAGE SETUP -------------

step "Bootstrap package repo"
mkdir -p /usr/local/etc/pkg/repos
#echo 'FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest" }' \
echo 'FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/quarterly" }' \
  >/usr/local/etc/pkg/repos/FreeBSD.conf
ASSUME_ALWAYS_YES=yes pkg bootstrap

step "Touch /etc/rc.conf"
touch /etc/rc.conf

# this is important, otherwise running /etc/rc from cook will
# overwrite the IP address set in tinirc
step "Remove ifconfig_epair0b from config"
sysrc -cq ifconfig_epair0b && sysrc -x ifconfig_epair0b || true

step "Disable sendmail"
service sendmail onedisable

step "Create /usr/local/etc/rc.d"
mkdir -p /usr/local/etc/rc.d

# we need consul for consul agent
step "Install package consul"
pkg install -y consul

step "Install package node_exporter"
pkg install -y node_exporter

step "Install package grafana7"
pkg install -y grafana7

step "Install package sudo"
pkg install -y sudo

step "Install package curl"
pkg install -y curl

step "Install package jq"
pkg install -y jq

step "Install package syslog-ng"
pkg install -y syslog-ng

step "Install package vault"
pkg install -y vault

step "Clean package installation"
pkg clean -y

# -------------- END PACKAGE SETUP -------------

#
# Create configurations
#

#
# Now generate the run command script "cook"
# It configures the system on the first run by creating the config file(s)
# On subsequent runs, it only starts sleeps (if nomad-jail) or simply exits
#

# clear any old cook runtime file
step "Remove pre-existing cook script (if any)"
rm -f /usr/local/bin/cook

# this runs when image boots
# ----------------- BEGIN COOK ------------------

step "Create cook script"
echo "#!/bin/sh
RUNS_IN_NOMAD=$RUNS_IN_NOMAD
# declare this again for the pot image, might work carrying variable through like
# with above
COOKLOG=/var/log/cook.log
# No need to change this, just ensures configuration is done only once
if [ -e /usr/local/etc/pot-is-seasoned ]
then
    # If this pot flavour is blocking (i.e. it should not return),
    # we block indefinitely
    if [ \"\$RUNS_IN_NOMAD\" = \"true\" ]
    then
        /bin/sh /etc/rc
        tail -f /dev/null
    fi
    exit 0
fi

# ADJUST THIS: STOP SERVICES AS NEEDED BEFORE CONFIGURATION
# not needed, not started automatically, needs configuring

# No need to adjust this:
# If this pot flavour is not blocking, we need to read the environment first from /tmp/environment.sh
# where pot is storing it in this case
if [ -e /tmp/environment.sh ]
then
    . /tmp/environment.sh
fi

#
# ADJUST THIS BY CHECKING FOR ALL VARIABLES YOUR FLAVOUR NEEDS:
#

# Check config variables are set
#
if [ -z \${DATACENTER+x} ]; then
    echo 'DATACENTER is unset - see documentation how to configure this flavour'
    exit 1
fi
if [ -z \${NODENAME+x} ];
then
    echo 'NODENAME is unset - see documentation how to configure this flavour'
    exit 1
fi
if [ -z \${CONSULSERVERS+x} ]; then
    echo 'CONSULSERVERS is unset - see documentation how to configure this flavour'
    exit 1
fi
if [ -z \${IP+x} ]; then
    echo 'IP is unset - see documentation how to configure this flavour'
    exit 1
fi
if [ -z \${VAULTSERVER+x} ];
then
    echo 'VAULTSERVER is unset - you must include the master vault server IP'
    exit 1
fi
# we need a token from the vault server
if [ -z \${VAULTTOKEN+x} ];
then
    echo 'VAULTTOKEN is unset - see documentation how to configure this flavour. You must pass in a valid token'
    exit 1
fi
# GOSSIPKEY is a 32 byte, Base64 encoded key generated with consul keygen for the consul flavour.
# Re-used for nomad, which is usually 16 byte key but supports 32 byte, Base64 encoded keys
# We'll re-use the one from the consul flavour
if [ -z \${GOSSIPKEY+x} ];
then
    echo 'GOSSIPKEY is unset - see documentation how to configure this flavour, defaulting to preset encrypt key. Do not use this in production!'
    GOSSIPKEY='\"BY+vavBUSEmNzmxxS3k3bmVFn1giS4uEudc774nBhIw=\"'
fi
# required prometheus server
if [ -z \${PROMSOURCE+x} ];
then
    echo 'PROMSOURCE is unset - see documentation how to configure this flavour with IP address of Prometheus host. Exiting.'
    exit 1
fi
# required loki server
if [ -z \${LOKISOURCE+x} ];
then
    echo 'LOKISOURCE is unset - see documentation how to configure this flavour with IP address of Loki host. Exiting.'
    exit 1
fi
# required influxdb server
if [ -z \${INFLUXDBSOURCE+x} ];
then
    echo 'INFLUXDBSOURCE is unset - see documentation how to configure this flavour with IP address of InfluxDB host. Exiting.'
    exit 1
fi
# required influxdb server
if [ -z \${INFLUXDATABASE+x} ];
then
    echo 'INFLUXDATABASE is unset - see documentation how to configure this flavour with InfluxDB datanase name. Defaulting to default'
    INFLUXDATABASE="default"
fi
# grafana credentials
if [ -z \${GRAFANAUSER+x} ];
then
    echo 'GRAFANAUSER is unset - see documentation how to configure this flavour with credentials. Defaulting to admin'
    GRAFANAUSER=admin
fi
if [ -z \${GRAFANAPASSWORD+x} ];
then
    echo 'GRAFANAPASSWORD is unset - see documentation how to configure this flavour with credentials. Defaulting to admin'
    GRAFANAPASSWORD=admin
fi
# optional logging to remote syslog server
if [ -z \${REMOTELOG+x} ];
then
    echo 'REMOTELOG is unset - see documentation how to configure this flavour with IP address of remote syslog server. Defaulting to null'
    REMOTELOG=\"null\"
fi

# ADJUST THIS BELOW: NOW ALL THE CONFIGURATION FILES NEED TO BE CREATED:
# Don't forget to double(!)-escape quotes and dollar signs in the config files

# setup directories for vault usage
mkdir -p /mnt/templates
mkdir -p /mnt/certs/localca

## start consul

# make consul configuration directory and set permissions
mkdir -p /usr/local/etc/consul.d
chmod 750 /usr/local/etc/consul.d

# Create the consul agent config file with imported variables
echo \"{
 \\\"advertise_addr\\\": \\\"\$IP\\\",
 \\\"datacenter\\\": \\\"\$DATACENTER\\\",
 \\\"node_name\\\": \\\"\$NODENAME\\\",
 \\\"data_dir\\\":  \\\"/var/db/consul\\\",
 \\\"dns_config\\\": {
  \\\"a_record_limit\\\": 3,
  \\\"enable_truncate\\\": true
 },
 \\\"verify_incoming\\\": false,
 \\\"verify_outgoing\\\": true,
 \\\"verify_server_hostname\\\":false,
 \\\"verify_incoming_rpc\\\": true,
 \\\"ca_file\\\": \\\"/mnt/certs/ca.pem\\\",
 \\\"cert_file\\\": \\\"/mnt/certs/cert.pem\\\",
 \\\"key_file\\\": \\\"/mnt/certs/key.pem\\\",
 \\\"log_file\\\": \\\"/var/log/consul/\\\",
 \\\"log_level\\\": \\\"WARN\\\",
 \\\"encrypt\\\": \$GOSSIPKEY,
 \\\"start_join\\\": [ \$CONSULSERVERS ],
 \\\"telemetry\\\": {
  \\\"prometheus_retention_time\\\": \\\"24h\\\",
  \\\"disable_hostname\\\": true
 },
 \\\"service\\\": {
  \\\"address\\\": \\\"\$IP\\\",
  \\\"name\\\": \\\"node-exporter\\\",
  \\\"tags\\\": [\\\"_app=prometheus\\\", \\\"_service=node-exporter\\\", \\\"_hostname=\$NODENAME\\\", \\\"_datacenter=\$DATACENTER\\\"],
  \\\"port\\\": 9100
 }
}\" > /usr/local/etc/consul.d/agent.json

# set owner and perms on agent.json
chown consul:wheel /usr/local/etc/consul.d/agent.json
chmod 640 /usr/local/etc/consul.d/agent.json

# enable consul
sysrc consul_enable=\"YES\"

# set load parameter for consul config
sysrc consul_args=\"-config-file=/usr/local/etc/consul.d/agent.json\"
#sysrc consul_datadir=\"/var/db/consul\"

# Workaround for bug in rc.d/consul script:
sysrc consul_group=\"wheel\"

# setup consul logs, might be redundant if not specified in agent.json above
mkdir -p /var/log/consul
touch /var/log/consul/consul.log
chown -R consul:wheel /var/log/consul

# add the consul user to the wheel group, this seems to be required for
# consul to start on this instance. May need to figure out why.
# I'm not entirely sure this is the correct way to do it
/usr/sbin/pw usermod consul -G wheel

## end consul

## start Vault

# first remove any existing vault configuration
if [ -f /usr/local/etc/vault/vault-server.hcl ]; then
    rm /usr/local/etc/vault/vault-server.hcl
fi
# then setup a fresh vault.hcl specific to the type of image

# default freebsd vault.hcl is /usr/local/etc/vault.hcl and
# the init script /usr/local/etc/rc.d/vault refers to this
# but many vault docs refer to /usr/local/etc/vault/vault-server.hcl
# or similar

# begin vault config
# we're setting a config file but not actually running the vault service
# certificate rotation is being done with a cron job
# token rotation may require the vault service

echo \"disable_mlock = true
ui = false
vault {
  address = \\\"\$VAULTSERVER:8200\\\"
  retry {
    num_retries = 5
  }
}
storage \\\"file\\\" {
  path = \\\"/mnt/vault/data\\\"
}
template {
  source = \\\"/mnt/templates/cert.tpl\\\"
  destination = \\\"/mnt/certs/cert.pem\\\"
}
template {
  source = \\\"/mnt/templates/ca.tpl\\\"
  destination = \\\"/mnt/certs/ca.pem\\\"
}
template {
  source = \\\"/mnt/templates/key.tpl\\\"
  destination = \\\"/mnt/certs/key.pem\\\"
}\" > /usr/local/etc/vault.hcl

# setup template files for certificates
echo \"{{- /* /mnt/templates/cert.tpl */ -}}
{{ with secret \\\"pki_int/issue/\$DATACENTER\\\" \\\"common_name=\$NODENAME\\\" \\\"ttl=24h\\\" \\\"alt_names=\$NODENAME\\\" \\\"ip_sans=\$IP\\\" }}
{{ .Data.certificate }}{{ end }}
\" > /mnt/templates/cert.tpl

echo \"{{- /* /mnt/templates/ca.tpl */ -}}
{{ with secret \\\"pki_int/issue/\$DATACENTER\\\" \\\"common_name=\$NODENAME\\\" }}
{{ .Data.issuing_ca }}{{ end }}
\" > /mnt/templates/ca.tpl

echo \"{{- /* /mnt/templates/key.tpl */ -}}
{{ with secret \\\"pki_int/issue/\$DATACENTER\\\" \\\"common_name=\$NODENAME\\\" \\\"ttl=24h\\\" \\\"alt_names=\$NODENAME\\\" \\\"ip_sans=\$IP\\\" }}
{{ .Data.private_key }}{{ end }}
\" > /mnt/templates/key.tpl

# set permissions on /mnt for vault data
chown -R vault:wheel /mnt/certs
chown -R vault:wheel /mnt/templates

# setup rc.conf entries
# we do not set vault_user=vault because vault will not start
# we're not starting vault as a service
sysrc vault_enable=no
sysrc vault_login_class=root
sysrc vault_syslog_output_enable=\"YES\"
sysrc vault_syslog_output_priority=\"warn\"

# retrieve CA certificates from vault leader
echo \"Retrieving CA certificates from Vault leader\"
/usr/local/bin/vault read -address=https://\$VAULTSERVER:8200 -tls-skip-verify -field=certificate pki/cert/ca > /mnt/certs/CA_cert.crt
/usr/local/bin/vault read -address=https://\$VAULTSERVER:8200 -tls-skip-verify -field=certificate pki_int/cert/ca > /mnt/certs/intermediate.cert.pem

# unwrap the pki token issued by vault leader
echo \"Unwrapping passed in token...\"
/usr/local/bin/vault unwrap -address=https://\$VAULTSERVER:8200 -ca-cert=/mnt/certs/intermediate.cert.pem -format=json \$VAULTTOKEN | /usr/local/bin/jq -r '.auth.client_token' > /root/unwrapped.token
sleep 1
if [ -s /root/unwrapped.token ]; then
    echo \"Token unwrapped\"
    THIS_TOKEN=\$(/bin/cat /root/unwrapped.token)
    echo \"Logging in to vault leader to authenticate\"
    echo \"\$THIS_TOKEN\" | /usr/local/bin/vault login -address=https://\$VAULTSERVER:8200 -ca-cert=/mnt/certs/intermediate.cert.pem -method=token -field=token token=- > /root/login.token
    sleep 5
fi

echo \"Setting certificate payload\"
if [ -s /root/login.token ]; then
    # generate certificates to use
    # using this payload.json approach to avoid nested single and double quotes for expansion
    echo \"{
\\\"common_name\\\": \\\"\$NODENAME\\\",
\\\"ttl\\\": \\\"24h\\\",
\\\"ip_sans\\\": \\\"\$IP\\\"
}\" > /mnt/templates/payload.json

    # we use curl to get the certificates in json format as the issue command only has formats: pem, pem_bundle, der
    # but no json format except via the API
    echo \"Generating certificates to use from Vault\"
    HEADER=\$(/bin/cat /root/login.token)
    /usr/local/bin/curl --cacert /mnt/certs/intermediate.cert.pem --header \"X-Vault-Token: \$HEADER\" --request POST --data @/mnt/templates/payload.json https://\$VAULTSERVER:8200/v1/pki_int/issue/\$DATACENTER > /mnt/certs/vaultissue.json

    # cli requires [], but web api does not
    #/usr/local/bin/jq -r '.data.issuing_ca[]' /mnt/certs/vaultissue.json > /mnt/certs/ca.pem
    # if [] left in for this script, you will get error: Cannot iterate over string
    /usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json > /mnt/certs/ca.pem
    # syslog-ng wants ca file in a directory, so copy CA file to there too - not currently in use
    cp -f /mnt/certs/ca.pem /mnt/certs/localca/ca.pem
    /usr/local/bin/jq -r '.data.certificate' /mnt/certs/vaultissue.json > /mnt/certs/cert.pem
    /usr/local/bin/jq -r '.data.private_key' /mnt/certs/vaultissue.json > /mnt/certs/key.pem

    # set permissions on /mnt/certs for vault
    chown -R vault:wheel /mnt/certs

    # removing as not sure vault service needs to be running here
    # start vault
    #echo \"Starting Vault Agent\"
    #/usr/local/etc/rc.d/vault start

    # start consul agent
    /usr/local/etc/rc.d/consul start

    # setup certificate rotation script
    echo \"#!/bin/sh
if [ -s /root/login.token ]; then
    LOGINTOKEN=\\\$(/bin/cat /root/login.token)
    HEADER=\\\$(echo \\\"X-Vault-Token: \\\"\\\$LOGINTOKEN)
    /usr/local/bin/curl -k --header \\\"\\\$HEADER\\\" --request POST --data @/mnt/templates/payload.json https://\$VAULTSERVER:8200/v1/pki_int/issue/\$DATACENTER > /mnt/certs/vaultissue.json
    /usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json > /mnt/certs/ca.pem
    # syslog-ng wants ca file in a directory, so copy CA file to there too - not currently in use
    cp -f /mnt/certs/ca.pem /mnt/certs/localca/ca.pem
    /usr/local/bin/jq -r '.data.certificate' /mnt/certs/vaultissue.json > /mnt/certs/cert.pem
    /usr/local/bin/jq -r '.data.private_key' /mnt/certs/vaultissue.json > /mnt/certs/key.pem
    # set permissions on /mnt/certs for vault
    chown -R vault:wheel /mnt/certs
    # restart services
    /usr/local/etc/rc.d/consul restart
    /usr/local/etc/rc.d/syslog-ng restart
    /usr/local/etc/rc.d/grafana restart
else
    echo "/root/login.token does not contain a token. Certificates cannot be renewed."
fi
\" > /root/rotate-certs.sh

    if [ -f /root/rotate-certs.sh ]; then
        # make executable
        chmod +x /root/rotate-certs.sh
        # add a crontab entry for every hour
        echo \"0 * * * * root /root/rotate-certs.sh >> /mnt/rotate-cert.log 2>&1\" >> /etc/crontab
    fi
else
    echo \"ERROR: There was a problem logging into vault and no certificates were retrieved. Vault not started.\"
fi

# setup syslog-ng
# optional remote logging
if [ ! -z \$REMOTELOG ] && [ \$REMOTELOG != \"null\" ]; then
    if [ -f /root/syslog-ng.conf ]; then
        /usr/bin/sed -i .orig \"s/REMOTELOGIP/\$REMOTELOG/g\" /root/syslog-ng.conf
        cp -f /root/syslog-ng.conf /usr/local/etc/syslog-ng.conf
        # stop syslogd
        service syslogd onestop || true
        # setup sysrc entries to start and set parameters to accept logs from remote subnet
        sysrc syslogd_enable=\"NO\"
        sysrc syslog_ng_enable=\"YES\"
        #sysrc syslog_ng_flags=\"-u daemon\"
        sysrc syslog_ng_flags=\"-R /tmp/syslog-ng.persist\"
        /usr/local/etc/rc.d/syslog-ng start
        echo \"syslog-ng setup complete\"
    else
        echo \"/root/syslog-ng.conf is missing?\"
    fi
else
    echo \"REMOTELOG parameter is not set to an IP address. syslog-ng won't operate.\"
fi


## start node_exporter config
# node exporter needs tls setup
echo \"tls_server_config:
  cert_file: /mnt/certs/cert.pem
  key_file: /mnt/certs/key.pem
\" > /usr/local/etc/node-exporter.yml

# enable node_exporter service
sysrc node_exporter_enable=\"YES\"
sysrc node_exporter_args=\"--web.config=/usr/local/etc/node-exporter.yml\"
## end node_exporter config

## start grafana config
# we're mounting in a blank-or-filled ZFS dataset from root system at
# zroot/prometheusdata to /mnt

# if /mnt/grafana is empty, copy in /var/db/grafana

if [ ! -d /mnt/grafana ]; then
    # if empty we need to copy in the directory structure from install
    cp -a /var/db/grafana /mnt

    # make sure permissions are good for /mnt/grafana
    chown -R grafana:grafana /mnt/grafana

    # overwrite the rc file with a fixed one as per
    # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255676
    if [ -f /root/grafana.rc ]; then
        echo "replacing grafana rc file with freebsd-fixed one"
        cp -f /root/grafana.rc /usr/local/etc/rc.d/grafana
        chmod 755 /usr/local/etc/rc.d/grafana
        # this seems to be required, grafana still crashes without it
        chmod 755 /root
    else
        echo \"ERROR - no /root/grafana.rc file\"
    fi

    # copy in the datasource.yml file to /mnt/grafana/provisioning/datasources
    if [ -f /root/datasources.yml ]; then
        /usr/bin/sed -i .orig \"s/MYPROMHOST/\$PROMSOURCE/g\" /root/datasources.yml
        /usr/bin/sed -i .orig \"s/MYLOKIHOST/\$LOKISOURCE/g\" /root/datasources.yml
        /usr/bin/sed -i .orig \"s/MYINFLUXHOST/\$INFLUXDBSOURCE/g\" /root/datasources.yml
        /usr/bin/sed -i .orig \"s/INFLUXDATABASE/\$INFLUXDBSOURCE/g\" /root/datasources.yml
        cp -f /root/datasources.yml /mnt/grafana/provisioning/datasources/datasources.yml
        chown grafana:grafana /mnt/grafana/provisioning/datasources/datasources.yml
    else
        echo \"ERROR - NO DATASOURCE CONFIG FILE FOUND\"
    fi

    # copy in the dashboard.yml file to /mnt/grafana/provisioning/dashboards
    if [ -f /root/dashboard.yml ]; then
        cp -f /root/dashboard.yml /mnt/grafana/provisioning/dashboards/default.yml
        chown grafana:grafana /mnt/grafana/provisioning/dashboards/default.yml
    else
        echo \"ERROR - NO DASHBOARD DEFAULT CONFIG FILE FOUND\"
    fi
    # include the relevant .json for actual dashboard as follows
    # using https://raw.githubusercontent.com/rfrail3/grafana-dashboards/master/prometheus/node-exporter-freebsd.json
    # as source dashboard json for demo purposes
    if [ -f /root/home.json ]; then
        cp -f /root/home.json /mnt/grafana/provisioning/dashboards/home.json
        chown grafana:grafana /mnt/grafana/provisioning/dashboards/home.json
    else
        echo \"ERROR - could not find home.json to copy in as default dashboard\"
    fi
    if [ -f /root/homelogs.json ]; then
        cp -f /root/homelogs.json /mnt/grafana/provisioning/dashboards/homelogs.json
        chown grafana:grafana /mnt/grafana/provisioning/dashboards/homelogs.json
    else
        echo \"Error - could not find home.json to copy in as default dashboard\"
    fi
else
    # if /mnt/grafana exists then don't copy in /var/db/grafana
    # make sure permissions are good for /mnt/grafana
    chown -R grafana:grafana /mnt/grafana

    # overwrite the rc file with a fixed one as per
    # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255676
    if [ -f /root/grafana.rc ]; then
        echo "replacing grafana rc file with freebsd-fixed one"
        cp -f /root/grafana.rc /usr/local/etc/rc.d/grafana
        chmod 755 /usr/local/etc/rc.d/grafana
        # this seems to be required, grafana still crashes without it
        chmod 755 /root
    else
        echo \"ERROR - no /root/grafana.rc file\"
    fi

    # copy in the datasource.yml file to /mnt/grafana/provisioning/datasources
    if [ -f /root/datasources.yml ]; then
        /usr/bin/sed -i .orig \"s/MYPROMHOST/\$PROMSOURCE/g\" /root/datasources.yml
        /usr/bin/sed -i .orig \"s/MYLOKIHOST/\$LOKISOURCE/g\" /root/datasources.yml
        /usr/bin/sed -i .orig \"s/MYINFLUXHOST/\$INFLUXDBSOURCE/g\" /root/datasources.yml
        /usr/bin/sed -i .orig \"s/INFLUXDATABASE/\$INFLUXDBSOURCE/g\" /root/datasources.yml
        cp -f /root/datasources.yml /mnt/grafana/provisioning/datasources/datasources.yml
        chown grafana:grafana /mnt/grafana/provisioning/datasources/datasources.yml
    else
        echo \"ERROR - NO DATASOURCE CONFIG FILE FOUND\"
    fi

    # copy in the dashboard.yml file to /mnt/grafana/provisioning/dashboards
    if [ -f /root/dashboard.yml ]; then
        cp -f /root/dashboard.yml /mnt/grafana/provisioning/dashboards/default.yml
        chown grafana:grafana /mnt/grafana/provisioning/dashboards/default.yml
    else
        echo \"ERROR - NO DASHBOARD DEFAULT CONFIG FILE FOUND\"
    fi
    # include the relevant .json for actual dashboard as follows
    # home.json is generated from
    # 1. https://raw.githubusercontent.com/rfrail3/grafana-dashboards/master/prometheus/node-exporter-freebsd.json
    # 2. fixed with header bits from https://grafana.com/api/dashboards/13978/revisions/1/download
    # as source dashboard
    if [ -f /root/home.json ]; then
        cp -f /root/home.json /mnt/grafana/provisioning/dashboards/home.json
        chown grafana:grafana /mnt/grafana/provisioning/dashboards/home.json
    else
        echo \"ERROR - could not find home.json to copy in as default dashboard\"
    fi
    if [ -f /root/homelogs.json ]; then
        cp -f /root/homelogs.json /mnt/grafana/provisioning/dashboards/homelogs.json
        chown grafana:grafana /mnt/grafana/provisioning/dashboards/homelogs.json
    else
        echo \"ERROR - could not find home.json to copy in as default dashboard\"
    fi
fi

# local edits for grafana.conf here
# the mount path for some options is set to /mnt/grafana/...
if [ -f /root/grafana.conf ]; then
    /usr/bin/sed -i .orig \"s/MYGRAFANAUSER/\$GRAFANAUSER/g\" /root/grafana.conf
    /usr/bin/sed -i .orig \"s/MYGRAFANAPASSWORD/\$GRAFANAPASSWORD/g\" /root/grafana.conf
    cp -f /root/grafana.conf /usr/local/etc/grafana.conf
    # enable grafana service
    sysrc grafana_enable=\"YES\"
    sysrc grafana_config=\"/usr/local/etc/grafana.conf\"
    sysrc grafana_user=\"grafana\"
    sysrc grafana_group=\"grafana\"
    sysrc grafana_syslog_output_enable=\"YES\"
    # start grafana
    /usr/local/etc/rc.d/grafana start
else
    echo \"ERROR - there is no /root/grafana.conf file. Grafana not started\"
fi

## end grafana config

#
# ADJUST THIS: START THE SERVICES AGAIN AFTER CONFIGURATION

# start node_exporter
/usr/local/etc/rc.d/node_exporter start

#
# Do not touch this:
touch /usr/local/etc/pot-is-seasoned

# If this pot flavour is blocking (i.e. it should not return), there is no /tmp/environment.sh
# created by pot and we now after configuration block indefinitely
if [ \"\$RUNS_IN_NOMAD\" = \"true\" ]
then
    /bin/sh /etc/rc
    tail -f /dev/null
fi
" > /usr/local/bin/cook

# ----------------- END COOK ------------------


# ---------- NO NEED TO EDIT BELOW ------------

step "Make cook script executable"
if [ -e /usr/local/bin/cook ]
then
    echo "setting executable bit on /usr/local/bin/cook" | tee -a $COOKLOG
    chmod u+x /usr/local/bin/cook
else
    exit_error "there is no /usr/local/bin/cook to make executable"
fi

#
# There are two ways of running a pot jail: "Normal", non-blocking mode and
# "Nomad", i.e. blocking mode (the pot start command does not return until
# the jail is stopped).
# For the normal mode, we create a /usr/local/etc/rc.d script that starts
# the "cook" script generated above each time, for the "Nomad" mode, the cook
# script is started by pot (configuration through flavour file), therefore
# we do not need to do anything here.
#

# Create rc.d script for "normal" mode:
step "Create rc.d script to start cook"
echo "creating rc.d script to start cook" | tee -a $COOKLOG

echo "#!/bin/sh
#
# PROVIDE: cook
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
. /etc/rc.subr
name=\"cook\"
rcvar=\"cook_enable\"
load_rc_config \$name
: \${cook_enable:=\"NO\"}
: \${cook_env:=\"\"}
command=\"/usr/local/bin/cook\"
command_args=\"\"
run_rc_command \"\$1\"
" > /usr/local/etc/rc.d/cook

step "Make rc.d script to start cook executable"
if [ -e /usr/local/etc/rc.d/cook ]
then
  echo "Setting executable bit on cook rc file" | tee -a $COOKLOG
  chmod u+x /usr/local/etc/rc.d/cook
else
  exit_error "/usr/local/etc/rc.d/cook does not exist"
fi

if [ "$RUNS_IN_NOMAD" != "true" ]
then
  step "Enable cook service"
  # This is a non-nomad (non-blocking) jail, so we need to make sure the script
  # gets started when the jail is started:
  # Otherwise, /usr/local/bin/cook will be set as start script by the pot flavour
  echo "enabling cook" | tee -a $COOKLOG
  service cook enable
fi

# -------------------- DONE ---------------
exit_ok

grafana/grafana+1:
grafana/grafana+1.sh:

grafana/grafana+2:
grafana/grafana+2.sh:

grafana/grafana+3:
grafana/grafana+3.sh:

grafana/grafana+4:
grafana/grafana+4.sh:
Password:===>  Creating a new pot
===>  pot name : grafana-amd64-12_2
===>  type : single
===>  base : 12.2
===>  pot_base :
===>  level : 0
===>  network-type : public-bridge
===>  network-stack: ipv4
===>  ip : 10.192.0.4
===>  bridge :
===>  dns : inherit
===>  flavours : fbsd-update grafana grafana+1 grafana+2 grafana+3 grafana+4
===>  Fetching FreeBSD 12.2
===>  Extract the tarball
=====>  Flavour: fbsd-update
=====>  Starting grafana-amd64-12_2 pot for the initial bootstrap
=====>  mount /mnt/data/pot/jails/grafana-amd64-12_2/m/tmp
defaultrouter: NO -> 10.192.0.1
===>  Starting the pot grafana-amd64-12_2
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
	inet 127.0.0.1 netmask 0xff000000
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:b5:0e:f5:09:0b
	inet 10.192.0.4 netmask 0xffc00000 broadcast 10.255.255.255
	groups: epair
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Generating host.conf.
Creating and/or trimming log files.
Starting syslogd.
Clearing /tmp (X related).
Updating motd:.
Updating /var/run/os-release done.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.

Wed Jul 28 19:14:35 UTC 2021
/usr/local/etc/pot/flavours/fbsd-update.sh -> /mnt/data/pot/jails/grafana-amd64-12_2/m/tmp/fbsd-update.sh
=====>  Executing fbsd-update script on grafana-amd64-12_2
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching public key from update2.freebsd.org... done.
Fetching metadata signature for 12.2-RELEASE from update2.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata files... done.
Inspecting system... done.
Preparing to download files... done.
Fetching 76 patches.....10....20....30....40....50....60....70... done.
Applying patches... done.
Fetching 1 files...  done.
The following files will be removed as part of updating to
12.2-RELEASE-p9:
/etc/ssl/certs/2c543cd1.0
/etc/ssl/certs/2e4eed3c.0
/etc/ssl/certs/480720ec.0
/etc/ssl/certs/7d0b38bd.0
/etc/ssl/certs/8867006a.0
/etc/ssl/certs/ad088e1d.0
/etc/ssl/certs/b204d74a.0
/etc/ssl/certs/ba89ed3b.0
/etc/ssl/certs/c089bbbd.0
/etc/ssl/certs/e2799e36.0
/usr/share/certs/trusted/GeoTrust_Global_CA.pem
/usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority.pem
/usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority_-_G3.pem
/usr/share/certs/trusted/GeoTrust_Universal_CA.pem
/usr/share/certs/trusted/GeoTrust_Universal_CA_2.pem
/usr/share/certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem
/usr/share/certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
/usr/share/certs/trusted/thawte_Primary_Root_CA.pem
/usr/share/certs/trusted/thawte_Primary_Root_CA_-_G2.pem
/usr/share/certs/trusted/thawte_Primary_Root_CA_-_G3.pem
The following files will be added as part of updating to
12.2-RELEASE-p9:
/etc/ssl/blacklisted/2c543cd1.0
/etc/ssl/blacklisted/2e4eed3c.0
/etc/ssl/blacklisted/480720ec.0
/etc/ssl/blacklisted/7d0b38bd.0
/etc/ssl/blacklisted/8867006a.0
/etc/ssl/blacklisted/ad088e1d.0
/etc/ssl/blacklisted/b204d74a.0
/etc/ssl/blacklisted/ba89ed3b.0
/etc/ssl/blacklisted/c089bbbd.0
/etc/ssl/blacklisted/e2799e36.0
/etc/ssl/certs/3fb36b73.0
/usr/share/certs/blacklisted/GeoTrust_Global_CA.pem
/usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority.pem
/usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority_-_G3.pem
/usr/share/certs/blacklisted/GeoTrust_Universal_CA.pem
/usr/share/certs/blacklisted/GeoTrust_Universal_CA_2.pem
/usr/share/certs/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem
/usr/share/certs/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
/usr/share/certs/blacklisted/thawte_Primary_Root_CA.pem
/usr/share/certs/blacklisted/thawte_Primary_Root_CA_-_G2.pem
/usr/share/certs/blacklisted/thawte_Primary_Root_CA_-_G3.pem
/usr/share/certs/trusted/NAVER_Global_Root_Certification_Authority.pem
The following files will be updated as part of updating to
12.2-RELEASE-p9:
/bin/freebsd-version
/lib/libcasper.so.1
/lib/libcrypto.so.111
/lib/libzfs.so.3
/lib/libzfs_core.so.2
/lib/libzpool.so.2
/rescue/[
/rescue/bectl
/rescue/bsdlabel
/rescue/bunzip2
/rescue/bzcat
/rescue/bzip2
/rescue/camcontrol
/rescue/cat
/rescue/ccdconfig
/rescue/chflags
/rescue/chgrp
/rescue/chio
/rescue/chmod
/rescue/chown
/rescue/chroot
/rescue/clri
/rescue/cp
/rescue/csh
/rescue/date
/rescue/dd
/rescue/devfs
/rescue/df
/rescue/dhclient
/rescue/disklabel
/rescue/dmesg
/rescue/dump
/rescue/dumpfs
/rescue/dumpon
/rescue/echo
/rescue/ed
/rescue/ex
/rescue/expr
/rescue/fastboot
/rescue/fasthalt
/rescue/fdisk
/rescue/fsck
/rescue/fsck_4.2bsd
/rescue/fsck_ffs
/rescue/fsck_msdosfs
/rescue/fsck_ufs
/rescue/fsdb
/rescue/fsirand
/rescue/gbde
/rescue/geom
/rescue/getfacl
/rescue/glabel
/rescue/gpart
/rescue/groups
/rescue/gunzip
/rescue/gzcat
/rescue/gzip
/rescue/halt
/rescue/head
/rescue/hostname
/rescue/id
/rescue/ifconfig
/rescue/init
/rescue/ipf
/rescue/iscsictl
/rescue/iscsid
/rescue/kenv
/rescue/kill
/rescue/kldconfig
/rescue/kldload
/rescue/kldstat
/rescue/kldunload
/rescue/ldconfig
/rescue/less
/rescue/link
/rescue/ln
/rescue/ls
/rescue/lzcat
/rescue/lzma
/rescue/md5
/rescue/mdconfig
/rescue/mdmfs
/rescue/mkdir
/rescue/mknod
/rescue/more
/rescue/mount
/rescue/mount_cd9660
/rescue/mount_msdosfs
/rescue/mount_nfs
/rescue/mount_nullfs
/rescue/mount_udf
/rescue/mount_unionfs
/rescue/mt
/rescue/mv
/rescue/nc
/rescue/newfs
/rescue/newfs_msdos
/rescue/nos-tun
/rescue/pgrep
/rescue/ping
/rescue/ping6
/rescue/pkill
/rescue/poweroff
/rescue/ps
/rescue/pwd
/rescue/rcorder
/rescue/rdump
/rescue/realpath
/rescue/reboot
/rescue/red
/rescue/rescue
/rescue/restore
/rescue/rm
/rescue/rmdir
/rescue/route
/rescue/routed
/rescue/rrestore
/rescue/rtquery
/rescue/rtsol
/rescue/savecore
/rescue/sed
/rescue/setfacl
/rescue/sh
/rescue/shutdown
/rescue/sleep
/rescue/spppcontrol
/rescue/stty
/rescue/swapon
/rescue/sync
/rescue/sysctl
/rescue/tail
/rescue/tar
/rescue/tcsh
/rescue/tee
/rescue/test
/rescue/tunefs
/rescue/umount
/rescue/unlink
/rescue/unlzma
/rescue/unxz
/rescue/unzstd
/rescue/vi
/rescue/whoami
/rescue/xz
/rescue/xzcat
/rescue/zcat
/rescue/zdb
/rescue/zfs
/rescue/zpool
/rescue/zstd
/rescue/zstdcat
/rescue/zstdmt
/sbin/ipfw
/sbin/rtsol
/sbin/zpool
/usr/bin/lldb
/usr/bin/zinject
/usr/bin/ztest
/usr/include/net/if_var.h
/usr/include/openssl/asn1err.h
/usr/include/sys/filedesc.h
/usr/include/sys/jail.h
/usr/lib/libcrypto.a
/usr/lib/libcrypto_p.a
/usr/lib/libpam.a
/usr/lib/libradius.a
/usr/lib/libradius.so.4
/usr/lib/libradius_p.a
/usr/lib/libssl.a
/usr/lib/libssl.so.111
/usr/lib/libssl_p.a
/usr/lib/libzfs.a
/usr/lib/libzfs_core.a
/usr/lib/libzfs_core_p.a
/usr/lib/libzfs_p.a
/usr/lib/libzpool.a
/usr/lib/pam_login_access.so.6
/usr/sbin/freebsd-update
/usr/sbin/rtsold
/usr/sbin/zdb
/usr/sbin/zfsd
/usr/sbin/zhack
/usr/share/man/man2/jail.2.gz
/usr/share/man/man2/jail_attach.2.gz
/usr/share/man/man2/jail_get.2.gz
/usr/share/man/man2/jail_remove.2.gz
/usr/share/man/man2/jail_set.2.gz
/usr/share/zoneinfo/Africa/Accra
/usr/share/zoneinfo/Africa/Addis_Ababa
/usr/share/zoneinfo/Africa/Algiers
/usr/share/zoneinfo/Africa/Asmara
/usr/share/zoneinfo/Africa/Asmera
/usr/share/zoneinfo/Africa/Bangui
/usr/share/zoneinfo/Africa/Brazzaville
/usr/share/zoneinfo/Africa/Casablanca
/usr/share/zoneinfo/Africa/Dar_es_Salaam
/usr/share/zoneinfo/Africa/Djibouti
/usr/share/zoneinfo/Africa/Douala
/usr/share/zoneinfo/Africa/El_Aaiun
/usr/share/zoneinfo/Africa/Juba
/usr/share/zoneinfo/Africa/Kampala
/usr/share/zoneinfo/Africa/Kinshasa
/usr/share/zoneinfo/Africa/Lagos
/usr/share/zoneinfo/Africa/Libreville
/usr/share/zoneinfo/Africa/Luanda
/usr/share/zoneinfo/Africa/Malabo
/usr/share/zoneinfo/Africa/Mogadishu
/usr/share/zoneinfo/Africa/Nairobi
/usr/share/zoneinfo/Africa/Niamey
/usr/share/zoneinfo/Africa/Porto-Novo
/usr/share/zoneinfo/America/Belize
/usr/share/zoneinfo/America/Dawson
/usr/share/zoneinfo/America/Grand_Turk
/usr/share/zoneinfo/America/Nassau
/usr/share/zoneinfo/America/Whitehorse
/usr/share/zoneinfo/Antarctica/Casey
/usr/share/zoneinfo/Antarctica/Macquarie
/usr/share/zoneinfo/Asia/Gaza
/usr/share/zoneinfo/Asia/Hebron
/usr/share/zoneinfo/Asia/Jerusalem
/usr/share/zoneinfo/Asia/Tel_Aviv
/usr/share/zoneinfo/Atlantic/Bermuda
/usr/share/zoneinfo/Australia/ACT
/usr/share/zoneinfo/Australia/Adelaide
/usr/share/zoneinfo/Australia/Brisbane
/usr/share/zoneinfo/Australia/Broken_Hill
/usr/share/zoneinfo/Australia/Canberra
/usr/share/zoneinfo/Australia/Currie
/usr/share/zoneinfo/Australia/Darwin
/usr/share/zoneinfo/Australia/Eucla
/usr/share/zoneinfo/Australia/Hobart
/usr/share/zoneinfo/Australia/Lindeman
/usr/share/zoneinfo/Australia/Melbourne
/usr/share/zoneinfo/Australia/NSW
/usr/share/zoneinfo/Australia/North
/usr/share/zoneinfo/Australia/Perth
/usr/share/zoneinfo/Australia/Queensland
/usr/share/zoneinfo/Australia/South
/usr/share/zoneinfo/Australia/Sydney
/usr/share/zoneinfo/Australia/Tasmania
/usr/share/zoneinfo/Australia/Victoria
/usr/share/zoneinfo/Australia/West
/usr/share/zoneinfo/Australia/Yancowinna
/usr/share/zoneinfo/Canada/Yukon
/usr/share/zoneinfo/Europe/Budapest
/usr/share/zoneinfo/Europe/Monaco
/usr/share/zoneinfo/Europe/Paris
/usr/share/zoneinfo/Europe/Volgograd
/usr/share/zoneinfo/Indian/Antananarivo
/usr/share/zoneinfo/Indian/Comoro
/usr/share/zoneinfo/Indian/Mahe
/usr/share/zoneinfo/Indian/Mayotte
/usr/share/zoneinfo/Israel
/usr/share/zoneinfo/Pacific/Efate
/usr/share/zoneinfo/Pacific/Fiji
/usr/share/zoneinfo/zone.tab
/usr/share/zoneinfo/zone1970.tab
Installing updates...Scanning //usr/share/certs/blacklisted for certificates...
Scanning //usr/share/certs/trusted for certificates...
 done.
=====>  Stop the pot grafana-amd64-12_2
=====>  Remove epair0[a|b] network interfaces
=====>  unmount /mnt/data/pot/jails/grafana-amd64-12_2/m/tmp
=====>  unmount /mnt/data/pot/jails/grafana-amd64-12_2/m/dev
=====>  Flavour: grafana
=====>  Executing grafana pot commands on grafana-amd64-12_2
=====>  mount /mnt/data/pot/jails/grafana-amd64-12_2/m/tmp
/usr/local/etc/pot/flavours/grafana.d/datasources.yml -> /mnt/data/pot/jails/grafana-amd64-12_2/m/root/datasources.yml
=====>  Source /usr/local/etc/pot/flavours/grafana.d/datasources.yml copied in the pot grafana-amd64-12_2
=====>  unmount /mnt/data/pot/jails/grafana-amd64-12_2/m/tmp
=====>  /mnt/data/pot/jails/grafana-amd64-12_2/m/dev is already unmounted
=====>  mount /mnt/data/pot/jails/grafana-amd64-12_2/m/tmp
/usr/local/etc/pot/flavours/grafana.d/dashboard.yml -> /mnt/data/pot/jails/grafana-amd64-12_2/m/root/dashboard.yml
=====>  Source /usr/local/etc/pot/flavours/grafana.d/dashboard.yml copied in the pot grafana-amd64-12_2
=====>  unmount /mnt/data/pot/jails/grafana-amd64-12_2/m/tmp
=====>  /mnt/data/pot/jails/grafana-amd64-12_2/m/dev is already unmounted
=====>  mount /mnt/data/pot/jails/grafana-amd64-12_2/m/tmp
/usr/local/etc/pot/flavours/grafana.d/grafana.conf -> /mnt/data/pot/jails/grafana-amd64-12_2/m/root/grafana.conf
=====>  Source /usr/local/etc/pot/flavours/grafana.d/grafana.conf copied in the pot grafana-amd64-12_2
=====>  unmount /mnt/data/pot/jails/grafana-amd64-12_2/m/tmp
=====>  /mnt/data/pot/jails/grafana-amd64-12_2/m/dev is already unmounted
=====>  mount /mnt/data/pot/jails/grafana-amd64-12_2/m/tmp
/usr/local/etc/pot/flavours/grafana.d/grafana.rc -> /mnt/data/pot/jails/grafana-amd64-12_2/m/root/grafana.rc
=====>  Source /usr/local/etc/pot/flavours/grafana.d/grafana.rc copied in the pot grafana-amd64-12_2
=====>  unmount /mnt/data/pot/jails/grafana-amd64-12_2/m/tmp
=====>  /mnt/data/pot/jails/grafana-amd64-12_2/m/dev is already unmounted
=====>  mount /mnt/data/pot/jails/grafana-amd64-12_2/m/tmp
/usr/local/etc/pot/flavours/grafana.d/home.json -> /mnt/data/pot/jails/grafana-amd64-12_2/m/root/home.json
=====>  Source /usr/local/etc/pot/flavours/grafana.d/home.json copied in the pot grafana-amd64-12_2
=====>  unmount /mnt/data/pot/jails/grafana-amd64-12_2/m/tmp
=====>  /mnt/data/pot/jails/grafana-amd64-12_2/m/dev is already unmounted
=====>  mount /mnt/data/pot/jails/grafana-amd64-12_2/m/tmp
/usr/local/etc/pot/flavours/grafana.d/homelogs.json -> /mnt/data/pot/jails/grafana-amd64-12_2/m/root/homelogs.json
=====>  Source /usr/local/etc/pot/flavours/grafana.d/homelogs.json copied in the pot grafana-amd64-12_2
=====>  unmount /mnt/data/pot/jails/grafana-amd64-12_2/m/tmp
=====>  /mnt/data/pot/jails/grafana-amd64-12_2/m/dev is already unmounted
=====>  mount /mnt/data/pot/jails/grafana-amd64-12_2/m/tmp
/usr/local/etc/pot/flavours/grafana.d/syslog-ng.conf -> /mnt/data/pot/jails/grafana-amd64-12_2/m/root/syslog-ng.conf
=====>  Source /usr/local/etc/pot/flavours/grafana.d/syslog-ng.conf copied in the pot grafana-amd64-12_2
=====>  unmount /mnt/data/pot/jails/grafana-amd64-12_2/m/tmp
=====>  /mnt/data/pot/jails/grafana-amd64-12_2/m/dev is already unmounted
=====>  Starting grafana-amd64-12_2 pot for the initial bootstrap
=====>  mount /mnt/data/pot/jails/grafana-amd64-12_2/m/tmp
defaultrouter: 10.192.0.1 -> 10.192.0.1
===>  Starting the pot grafana-amd64-12_2
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
	inet 127.0.0.1 netmask 0xff000000
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:ea:d1:f5:6d:0b
	inet 10.192.0.4 netmask 0xffc00000 broadcast 10.255.255.255
	groups: epair
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Creating and/or trimming log files.
Starting syslogd.
Clearing /tmp (X related).
Updating motd:.
Updating /var/run/os-release done.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.

Wed Jul 28 19:15:43 UTC 2021
/usr/local/etc/pot/flavours/grafana.sh -> /mnt/data/pot/jails/grafana-amd64-12_2/m/tmp/grafana.sh
=====>  Executing grafana script on grafana-amd64-12_2
Creating /var/log/cook.log
Step 1: Bootstrap package repo
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] Installing pkg-1.16.3...
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] Extracting pkg-1.16.3: .......... done
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:12:amd64/quarterly, please wait...
Step 2: Touch /etc/rc.conf
Step 3: Remove ifconfig_epair0b from config
Step 4: Disable sendmail
sendmail disabled in /etc/rc.conf
sendmail_submit disabled in /etc/rc.conf
sendmail_msp_queue disabled in /etc/rc.conf
Step 5: Create /usr/local/etc/rc.d
Step 6: Install package consul
Updating FreeBSD repository catalogue...
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] Fetching meta.conf: . done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] Fetching packagesite.txz: .......... done
Processing entries: .......... done
FreeBSD repository update completed. 30839 packages processed.
All repositories are up to date.
Updating database digests format: . done
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	consul: 1.9.5

Number of packages to be installed: 1

The process will require 78 MiB more space.
27 MiB to be downloaded.
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching consul-1.9.5.txz: .......... done
Checking integrity... done (0 conflicting)
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Installing consul-1.9.5...
===> Creating groups.
Creating group 'consul' with gid '469'.
===> Creating users
Creating user 'consul' with uid '469'.
===> Creating homedir(s)
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting consul-1.9.5: ..... done
Step 7: Install package node_exporter
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	node_exporter: 1.1.2

Number of packages to be installed: 1

The process will require 11 MiB more space.
3 MiB to be downloaded.
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching node_exporter-1.1.2.txz: .......... done
Checking integrity... done (0 conflicting)
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Installing node_exporter-1.1.2...
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting node_exporter-1.1.2: .......... done
=====
Message from node_exporter-1.1.2:

--
If upgrading from a version of node_exporter <0.15.0 you'll need to update any
custom command line flags that you may have set as it now requires a
double-dash (--flag) instead of a single dash (-flag).
The collector flags in 0.15.0 have now been replaced with individual boolean
flags and the -collector.procfs` and -collector.sysfs` flags have been renamed
to --path.procfs and --path.sysfs respectively.
Step 8: Install package grafana7
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	ca_root_nss: 3.63
	grafana7: 7.5.6

Number of packages to be installed: 2

The process will require 157 MiB more space.
33 MiB to be downloaded.
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/2] Fetching grafana7-7.5.6.txz: .......... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/2] Fetching ca_root_nss-3.63.txz: .......... done
Checking integrity... done (0 conflicting)
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/2] Installing ca_root_nss-3.63...
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/2] Extracting ca_root_nss-3.63: ........ done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/2] Installing grafana7-7.5.6...
===> Creating groups.
Creating group 'grafana' with gid '904'.
===> Creating users
Creating user 'grafana' with uid '904'.
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/2] Extracting grafana7-7.5.6: .......... done
=====
Message from ca_root_nss-3.63:

--
FreeBSD does not, and can not warrant that the certification authorities
whose certificates are included in this package have in any way been
audited for trustworthiness or RFC 3647 compliance.

Assessment and verification of trust is the complete responsibility of the
system administrator.


This package installs symlinks to support root certificates discovery by
default for software that uses OpenSSL.

This enables SSL Certificate Verification by client software without manual
intervention.

If you prefer to do this manually, replace the following symlinks with
either an empty file or your site-local certificate bundle.

  * /etc/ssl/cert.pem
  * /usr/local/etc/ssl/cert.pem
  * /usr/local/openssl/cert.pem
Step 9: Install package sudo
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	gettext-runtime: 0.21
	indexinfo: 0.3.1
	sudo: 1.9.7p1

Number of packages to be installed: 3

The process will require 7 MiB more space.
2 MiB to be downloaded.
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/3] Fetching sudo-1.9.7p1.txz: .......... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/3] Fetching gettext-runtime-0.21.txz: .......... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [3/3] Fetching indexinfo-0.3.1.txz: . done
Checking integrity... done (0 conflicting)
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/3] Installing indexinfo-0.3.1...
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/3] Extracting indexinfo-0.3.1: .... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/3] Installing gettext-runtime-0.21...
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/3] Extracting gettext-runtime-0.21: .......... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [3/3] Installing sudo-1.9.7p1...
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [3/3] Extracting sudo-1.9.7p1: .......... done
Step 10: Install package curl
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	curl: 7.77.0
	libnghttp2: 1.43.0

Number of packages to be installed: 2

The process will require 5 MiB more space.
1 MiB to be downloaded.
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/2] Fetching curl-7.77.0.txz: .......... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/2] Fetching libnghttp2-1.43.0.txz: .......... done
Checking integrity... done (0 conflicting)
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/2] Installing libnghttp2-1.43.0...
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/2] Extracting libnghttp2-1.43.0: .......... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/2] Installing curl-7.77.0...
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/2] Extracting curl-7.77.0: .......... done
Step 11: Install package jq
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	jq: 1.6
	oniguruma: 6.9.7.1

Number of packages to be installed: 2

The process will require 2 MiB more space.
498 KiB to be downloaded.
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/2] Fetching jq-1.6.txz: .......... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/2] Fetching oniguruma-6.9.7.1.txz: .......... done
Checking integrity... done (0 conflicting)
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/2] Installing oniguruma-6.9.7.1...
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/2] Extracting oniguruma-6.9.7.1: .......... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/2] Installing jq-1.6...
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/2] Extracting jq-1.6: .......... done
Step 12: Install package syslog-ng
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 11 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	e2fsprogs-libuuid: 1.46.2
	glib: 2.66.8,2
	json-c: 0.15_1
	libffi: 3.3_1
	libiconv: 1.16
	libxml2: 2.9.12
	mpdecimal: 2.5.1
	pcre: 8.44
	python38: 3.8.10
	readline: 8.1.1
	syslog-ng: 3.32.1

Number of packages to be installed: 11

The process will require 160 MiB more space.
24 MiB to be downloaded.
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/11] Fetching syslog-ng-3.32.1.txz: .......... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/11] Fetching e2fsprogs-libuuid-1.46.2.txz: ..... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [3/11] Fetching pcre-8.44.txz: .......... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [4/11] Fetching json-c-0.15_1.txz: ........ done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [5/11] Fetching glib-2.66.8,2.txz: .......... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [6/11] Fetching libxml2-2.9.12.txz: .......... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [7/11] Fetching python38-3.8.10.txz: .......... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [8/11] Fetching mpdecimal-2.5.1.txz: .......... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [9/11] Fetching readline-8.1.1.txz: .......... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [10/11] Fetching libffi-3.3_1.txz: ..... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [11/11] Fetching libiconv-1.16.txz: .......... done
Checking integrity... done (0 conflicting)
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/11] Installing mpdecimal-2.5.1...
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/11] Extracting mpdecimal-2.5.1: .......... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/11] Installing readline-8.1.1...
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/11] Extracting readline-8.1.1: .......... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [3/11] Installing libffi-3.3_1...
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [3/11] Extracting libffi-3.3_1: .......... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [4/11] Installing pcre-8.44...
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [4/11] Extracting pcre-8.44: .......... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [5/11] Installing libxml2-2.9.12...
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [5/11] Extracting libxml2-2.9.12: .......... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [6/11] Installing python38-3.8.10...
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [6/11] Extracting python38-3.8.10: .......... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [7/11] Installing libiconv-1.16...
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [7/11] Extracting libiconv-1.16: .......... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [8/11] Installing e2fsprogs-libuuid-1.46.2...
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [8/11] Extracting e2fsprogs-libuuid-1.46.2: .......... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [9/11] Installing json-c-0.15_1...
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [9/11] Extracting json-c-0.15_1: .......... done
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [10/11] Installing glib-2.66.8,2...
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [10/11] Extracting glib-2.66.8,2: .......... done
No schema files found: doing nothing.
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [11/11] Installing syslog-ng-3.32.1...
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [11/11] Extracting syslog-ng-3.32.1: .......... done
=====
Message from python38-3.8.10:

--
Note that some standard Python modules are provided as separate ports
as they require additional dependencies. They are available as:

py38-gdbm       databases/py-gdbm@py38
py38-sqlite3    databases/py-sqlite3@py38
py38-tkinter    x11-toolkits/py-tkinter@py38
=====
Message from syslog-ng-3.32.1:

--
syslog-ng is now installed!  To replace FreeBSD's standard syslogd
(/usr/sbin/syslogd), complete these steps:

1. Create a configuration file named /usr/local/etc/syslog-ng.conf
   (a sample named syslog-ng.conf.sample has been included in
   /usr/local/etc). Note that this is a change in 2.0.2
   version, previous ones put the config file in
   /usr/local/etc/syslog-ng/syslog-ng.conf, so if this is an update
   move that file in the right place

2. Configure syslog-ng to start automatically by adding the following
   to /etc/rc.conf:

        syslog_ng_enable="YES"

3. Prevent the standard FreeBSD syslogd from starting automatically by
   adding a line to the end of your /etc/rc.conf file that reads:

        syslogd_enable="NO"

4. Shut down the standard FreeBSD syslogd:

     kill `cat /var/run/syslog.pid`

5. Start syslog-ng:

     /usr/local/etc/rc.d/syslog-ng start
Step 13: Install package vault
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	vault: 1.7.3

Number of packages to be installed: 1

The process will require 149 MiB more space.
49 MiB to be downloaded.
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching vault-1.7.3.txz: .......... done
Checking integrity... done (0 conflicting)
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Installing vault-1.7.3...
===> Creating groups.
Creating group 'vault' with gid '471'.
===> Creating users
Creating user 'vault' with uid '471'.
[grafana-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting vault-1.7.3: ..... done
=====
Message from vault-1.7.3:

--
The vault user created by the vault package is now a member of the daemon
class, which will allow it to use mlock() when started by the rc script. This
will not be reflected in systems where the user already exists. Please add the
vault user to the daemon class manually by running:

pw usermod -L daemon -n vault

or delete the user and reinstall the package.

You may also need to increase memorylocked for the daemon class in
/etc/login.conf to 1024M or more and run:

cap_mkdb /etc/login.conf

Or to disable mlock, add:

disable_mlock = 1

to /usr/local/etc/vault.hcl
Step 14: Clean package installation
The following package files will be deleted:
	/var/cache/pkg/json-c-0.15_1~ff906a5de2.txz
	/var/cache/pkg/libxml2-2.9.12.txz
	/var/cache/pkg/libnghttp2-1.43.0~a371ad62f9.txz
	/var/cache/pkg/libiconv-1.16~d5dea9e62b.txz
	/var/cache/pkg/grafana7-7.5.6~b4c4e68444.txz
	/var/cache/pkg/jq-1.6.txz
	/var/cache/pkg/libffi-3.3_1~57ea96fce2.txz
	/var/cache/pkg/json-c-0.15_1.txz
	/var/cache/pkg/consul-1.9.5~a117e971c4.txz
	/var/cache/pkg/readline-8.1.1~c6e0b75a5a.txz
	/var/cache/pkg/libnghttp2-1.43.0.txz
	/var/cache/pkg/vault-1.7.3~cd2b978f50.txz
	/var/cache/pkg/vault-1.7.3.txz
	/var/cache/pkg/oniguruma-6.9.7.1~4185029456.txz
	/var/cache/pkg/syslog-ng-3.32.1~4aba4f80c8.txz
	/var/cache/pkg/ca_root_nss-3.63~dbafb0f738.txz
	/var/cache/pkg/libffi-3.3_1.txz
	/var/cache/pkg/pcre-8.44.txz
	/var/cache/pkg/ca_root_nss-3.63.txz
	/var/cache/pkg/syslog-ng-3.32.1.txz
	/var/cache/pkg/glib-2.66.8,2.txz
	/var/cache/pkg/indexinfo-0.3.1~cd1aa182f5.txz
	/var/cache/pkg/grafana7-7.5.6.txz
	/var/cache/pkg/libiconv-1.16.txz
	/var/cache/pkg/mpdecimal-2.5.1.txz
	/var/cache/pkg/python38-3.8.10~b529305b59.txz
	/var/cache/pkg/gettext-runtime-0.21.txz
	/var/cache/pkg/indexinfo-0.3.1.txz
	/var/cache/pkg/node_exporter-1.1.2.txz
	/var/cache/pkg/gettext-runtime-0.21~778e7e5b6e.txz
	/var/cache/pkg/libxml2-2.9.12~9b537b9fce.txz
	/var/cache/pkg/oniguruma-6.9.7.1.txz
	/var/cache/pkg/node_exporter-1.1.2~05f1a82760.txz
	/var/cache/pkg/curl-7.77.0.txz
	/var/cache/pkg/readline-8.1.1.txz
	/var/cache/pkg/glib-2.66.8,2~e7f710500f.txz
	/var/cache/pkg/curl-7.77.0~c5c09bf73b.txz
	/var/cache/pkg/mpdecimal-2.5.1~1d25bc877b.txz
	/var/cache/pkg/consul-1.9.5.txz
	/var/cache/pkg/python38-3.8.10.txz
	/var/cache/pkg/sudo-1.9.7p1~683cf599ea.txz
	/var/cache/pkg/jq-1.6~c6066b435f.txz
	/var/cache/pkg/sudo-1.9.7p1.txz
	/var/cache/pkg/e2fsprogs-libuuid-1.46.2.txz
	/var/cache/pkg/e2fsprogs-libuuid-1.46.2~c4333f6349.txz
	/var/cache/pkg/pcre-8.44~eb4a39393e.txz
The cleanup will free 139 MiB
Deleting files: .......... done
All done
Step 15: Remove pre-existing cook script (if any)
Step 16: Create cook script
Step 17: Make cook script executable
setting executable bit on /usr/local/bin/cook
Step 18: Create rc.d script to start cook
creating rc.d script to start cook
Step 19: Make rc.d script to start cook executable
Setting executable bit on cook rc file
Step 20: Enable cook service
enabling cook
cook enabled in /etc/rc.conf
=====>  Stop the pot grafana-amd64-12_2
=====>  Remove epair0[a|b] network interfaces
=====>  unmount /mnt/data/pot/jails/grafana-amd64-12_2/m/tmp
=====>  unmount /mnt/data/pot/jails/grafana-amd64-12_2/m/dev
=====>  Flavour: grafana+1
=====>  Executing grafana+1 pot commands on grafana-amd64-12_2
=====>  No shell script available for the flavour grafana+1
=====>  Flavour: grafana+2
=====>  Executing grafana+2 pot commands on grafana-amd64-12_2
=====>  No shell script available for the flavour grafana+2
=====>  Flavour: grafana+3
=====>  Executing grafana+3 pot commands on grafana-amd64-12_2
=====>  No shell script available for the flavour grafana+3
=====>  Flavour: grafana+4
=====>  Executing grafana+4 pot commands on grafana-amd64-12_2
=====>  No shell script available for the flavour grafana+4

This site © Honeyguide Group (Pty) Ltd, all the hosted software their respective license owners 2020 - 2021 - Disclaimer